FKIE_CVE-2022-50661

Vulnerability from fkie_nvd - Published: 2025-12-09 16:17 - Updated: 2025-12-09 18:37
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: seccomp: Move copy_seccomp() to no failure path. Our syzbot instance reported memory leaks in do_seccomp() [0], similar to the report [1]. It shows that we miss freeing struct seccomp_filter and some objects included in it. We can reproduce the issue with the program below [2] which calls one seccomp() and two clone() syscalls. The first clone()d child exits earlier than its parent and sends a signal to kill it during the second clone(), more precisely before the fatal_signal_pending() test in copy_process(). When the parent receives the signal, it has to destroy the embryonic process and return -EINTR to user space. In the failure path, we have to call seccomp_filter_release() to decrement the filter's refcount. Initially, we called it in free_task() called from the failure path, but the commit 3a15fb6ed92c ("seccomp: release filter after task is fully dead") moved it to release_task() to notify user space as early as possible that the filter is no longer used. To keep the change and current seccomp refcount semantics, let's move copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in free_task() for future debugging. [0]: unreferenced object 0xffff8880063add00 (size 256): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ backtrace: do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffffc90000035000 (size 4096): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: __vmalloc_node_range (mm/vmalloc.c:3226) __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4)) bpf_prog_alloc_no_stats (kernel/bpf/core.c:91) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888003fa1000 (size 1024): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888006360240 (size 16): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 16 bytes): 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........ backtrace: bpf_prog_store_orig_filter (net/core/filter.c:1137) bpf_prog_create_from_user (net/core/filter.c:1428) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888 ---truncated---
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nseccomp: Move copy_seccomp() to no failure path.\n\nOur syzbot instance reported memory leaks in do_seccomp() [0], similar\nto the report [1].  It shows that we miss freeing struct seccomp_filter\nand some objects included in it.\n\nWe can reproduce the issue with the program below [2] which calls one\nseccomp() and two clone() syscalls.\n\nThe first clone()d child exits earlier than its parent and sends a\nsignal to kill it during the second clone(), more precisely before the\nfatal_signal_pending() test in copy_process().  When the parent receives\nthe signal, it has to destroy the embryonic process and return -EINTR to\nuser space.  In the failure path, we have to call seccomp_filter_release()\nto decrement the filter\u0027s refcount.\n\nInitially, we called it in free_task() called from the failure path, but\nthe commit 3a15fb6ed92c (\"seccomp: release filter after task is fully\ndead\") moved it to release_task() to notify user space as early as possible\nthat the filter is no longer used.\n\nTo keep the change and current seccomp refcount semantics, let\u0027s move\ncopy_seccomp() just after the signal check and add a WARN_ON_ONCE() in\nfree_task() for future debugging.\n\n[0]:\nunreferenced object 0xffff8880063add00 (size 256):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.914s)\n  hex dump (first 32 bytes):\n    01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................\n    ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................\n  backtrace:\n    do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffffc90000035000 (size 4096):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n  hex dump (first 32 bytes):\n    01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    __vmalloc_node_range (mm/vmalloc.c:3226)\n    __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4))\n    bpf_prog_alloc_no_stats (kernel/bpf/core.c:91)\n    bpf_prog_alloc (kernel/bpf/core.c:129)\n    bpf_prog_create_from_user (net/core/filter.c:1414)\n    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888003fa1000 (size 1024):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace:\n    bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95)\n    bpf_prog_alloc (kernel/bpf/core.c:129)\n    bpf_prog_create_from_user (net/core/filter.c:1414)\n    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888006360240 (size 16):\n  comm \"repro_seccomp\", pid 230, jiffies 4294687090 (age 9.915s)\n  hex dump (first 16 bytes):\n    01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff  ..7.verl........\n  backtrace:\n    bpf_prog_store_orig_filter (net/core/filter.c:1137)\n    bpf_prog_create_from_user (net/core/filter.c:1428)\n    do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991)\n    do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80)\n    entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120)\nunreferenced object 0xffff888\n---truncated---"
    }
  ],
  "id": "CVE-2022-50661",
  "lastModified": "2025-12-09T18:37:13.640",
  "metrics": {},
  "published": "2025-12-09T16:17:17.757",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/29a69fa075d0577eff1137426669de21187ec182"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/5b81f0c6c60e35bf8153230ddfb03ebb14e17986"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a1140cb215fa13dcec06d12ba0c3ee105633b7c4"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/a31a647a3d1073a642c5bbe3457731fb353cb980"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/d4a895e924b486f2a38463114509e1088ef4d7f5"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.