GHSA-WCM6-H78P-R673

Vulnerability from github – Published: 2025-12-09 03:31 – Updated: 2025-12-09 03:31
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

ppp: associate skb with a device at tx

Syzkaller triggered flow dissector warning with the following:

r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0)

[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 [ 9.485929] skb_get_poff+0x53/0xa0 [ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 [ 9.485944] ? ppp_send_frame+0xc2/0x5b0 [ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 [ 9.485968] ? ppp_xmit_process+0x5b/0xb0 [ 9.485974] ? ppp_write+0x12a/0x190 [ 9.485981] ? do_iter_write+0x18e/0x2d0 [ 9.485987] ? __import_iovec+0x30/0x130 [ 9.485997] ? do_pwritev+0x1b6/0x240 [ 9.486016] ? trace_hardirqs_on+0x47/0x50 [ 9.486023] ? __x64_sys_pwritev+0x24/0x30 [ 9.486026] ? do_syscall_64+0x3d/0x80 [ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd

Flow dissector tries to find skb net namespace either via device or via socket. Neigher is set in ppp_send_frame, so let's manually use ppp->dev.

Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-50655"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-09T01:16:48Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nppp: associate skb with a device at tx\n\nSyzkaller triggered flow dissector warning with the following:\n\nr0 = openat$ppp(0xffffffffffffff9c, \u0026(0x7f0000000000), 0xc0802, 0x0)\nioctl$PPPIOCNEWUNIT(r0, 0xc004743e, \u0026(0x7f00000000c0))\nioctl$PPPIOCSACTIVE(r0, 0x40107446, \u0026(0x7f0000000240)={0x2, \u0026(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]})\npwritev(r0, \u0026(0x7f0000000040)=[{\u0026(0x7f0000000140)=\u0027\\x00!\u0027, 0x2}], 0x1, 0x0, 0x0)\n\n[    9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0\n[    9.485929]  skb_get_poff+0x53/0xa0\n[    9.485937]  bpf_skb_get_pay_offset+0xe/0x20\n[    9.485944]  ? ppp_send_frame+0xc2/0x5b0\n[    9.485949]  ? _raw_spin_unlock_irqrestore+0x40/0x60\n[    9.485958]  ? __ppp_xmit_process+0x7a/0xe0\n[    9.485968]  ? ppp_xmit_process+0x5b/0xb0\n[    9.485974]  ? ppp_write+0x12a/0x190\n[    9.485981]  ? do_iter_write+0x18e/0x2d0\n[    9.485987]  ? __import_iovec+0x30/0x130\n[    9.485997]  ? do_pwritev+0x1b6/0x240\n[    9.486016]  ? trace_hardirqs_on+0x47/0x50\n[    9.486023]  ? __x64_sys_pwritev+0x24/0x30\n[    9.486026]  ? do_syscall_64+0x3d/0x80\n[    9.486031]  ? entry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nFlow dissector tries to find skb net namespace either via device\nor via socket. Neigher is set in ppp_send_frame, so let\u0027s manually\nuse ppp-\u003edev.",
  "id": "GHSA-wcm6-h78p-r673",
  "modified": "2025-12-09T03:31:10Z",
  "published": "2025-12-09T03:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50655"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/148dcbd3af039ae39c3af697a3183008c7995805"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/18dc946360bfe0de016a59e3cc3ee1f450fceb9d"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/30f186978e87bef2f22ed349010d3e23271e8d44"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4b8f3b939266c90f03b7cc7e26a4c28c7b64137b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7da524781c531ebaf2f94c9dc4c541b82edecfed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9f225444467b98579cf28d94f4ad053460dfdb84"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/c2a698ff156974908308f42cf5991ab5c0c4b8cd"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e387a25552951802102e279931d6f7dd2ecc34c1"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ee678b1f52f9439e930db2db3fd7e345d03e1a50"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.