CVE-2022-49372

{"id": "CVE-2022-49372", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-26T07:01:13.870", "references": [{"url": "https://git.kernel.org/stable/c/0a0f7f84148445c9f02f226928803a870139d820", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0a375c822497ed6ad6b5da0792a12a6f1af10c0b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3db889f883e65bbd3b1401279bfc1e9ed255c481", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/58bd38cbc961fd799842b7be8c5222310f04b908", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/88cd232146207ff1d41dededed5e77c0d4438113", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/bdc28a8fb43cc476e33b11519235adb816ce00e8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c348b0f8d035fc4bdc040796889beec7218bd1b8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d05c2fdf8e10528bb6751bd95243e862d5402a9b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d8e1bc6029acac796293310aacef7b7336f35b6a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: tcp_rtx_synack() can be called from process context\n\nLaurent reported the enclosed report [1]\n\nThis bug triggers with following coditions:\n\n0) Kernel built with CONFIG_DEBUG_PREEMPT=y\n\n1) A new passive FastOpen TCP socket is created.\n This FO socket waits for an ACK coming from client to be a complete\n ESTABLISHED one.\n2) A socket operation on this socket goes through lock_sock()\n release_sock() dance.\n3) While the socket is owned by the user in step 2),\n a retransmit of the SYN is received and stored in socket backlog.\n4) At release_sock() time, the socket backlog is processed while\n in process context.\n5) A SYNACK packet is cooked in response of the SYN retransmit.\n6) -> tcp_rtx_synack() is called in process context.\n\nBefore blamed commit, tcp_rtx_synack() was always called from BH handler,\nfrom a timer handler.\n\nFix this by using TCP_INC_STATS() & NET_INC_STATS()\nwhich do not assume caller is in non preemptible context.\n\n[1]\nBUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180\ncaller is tcp_rtx_synack.part.0+0x36/0xc0\nCPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1\nHardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021\nCall Trace:\n <TASK>\n dump_stack_lvl+0x48/0x5e\n check_preemption_disabled+0xde/0xe0\n tcp_rtx_synack.part.0+0x36/0xc0\n tcp_rtx_synack+0x8d/0xa0\n ? kmem_cache_alloc+0x2e0/0x3e0\n ? apparmor_file_alloc_security+0x3b/0x1f0\n inet_rtx_syn_ack+0x16/0x30\n tcp_check_req+0x367/0x610\n tcp_rcv_state_process+0x91/0xf60\n ? get_nohz_timer_target+0x18/0x1a0\n ? lock_timer_base+0x61/0x80\n ? preempt_count_add+0x68/0xa0\n tcp_v4_do_rcv+0xbd/0x270\n __release_sock+0x6d/0xb0\n release_sock+0x2b/0x90\n sock_setsockopt+0x138/0x1140\n ? __sys_getsockname+0x7e/0xc0\n ? aa_sk_perm+0x3e/0x1a0\n __sys_setsockopt+0x198/0x1e0\n __x64_sys_setsockopt+0x21/0x30\n do_syscall_64+0x38/0xc0\n entry_SYSCALL_64_after_hwframe+0x44/0xae"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: tcp_rtx_synack() puede ser llamado desde el contexto del proceso Laurent report\u00f3 el informe adjunto [1] Este error se activa con las siguientes condiciones: 0) Kernel construido con CONFIG_DEBUG_PREEMPT=y 1) Se crea un nuevo socket TCP FastOpen pasivo. Este socket FO espera un ACK proveniente del cliente para ser un ACK ESTABLISHED completo. 2) Una operaci\u00f3n de socket en este socket pasa por el baile lock_sock() release_sock(). 3) Mientras el socket es propiedad del usuario en el paso 2), se recibe una retransmisi\u00f3n del SYN y se almacena en el backlog del socket. 4) En el momento release_sock(), el backlog del socket se procesa mientras est\u00e1 en el contexto del proceso. 5) Se cocina un paquete SYNACK en respuesta a la retransmisi\u00f3n de SYN. 6) -&gt; tcp_rtx_synack() se llama en el contexto del proceso. Antes de el commit con culpa, tcp_rtx_synack() siempre se llamaba desde el controlador BH, desde un controlador de temporizador. Corrija esto usando TCP_INC_STATS() y NET_INC_STATS() que no asumen que el llamador est\u00e1 en un contexto no preemptible. [1] BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 caller is tcp_rtx_synack.part.0+0x36/0xc0 CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 Call Trace: dump_stack_lvl+0x48/0x5e check_preemption_disabled+0xde/0xe0 tcp_rtx_synack.part.0+0x36/0xc0 tcp_rtx_synack+0x8d/0xa0 ? kmem_cache_alloc+0x2e0/0x3e0 ? apparmor_file_alloc_security+0x3b/0x1f0 inet_rtx_syn_ack+0x16/0x30 tcp_check_req+0x367/0x610 tcp_rcv_state_process+0x91/0xf60 ? get_nohz_timer_target+0x18/0x1a0 ? lock_timer_base+0x61/0x80 ? preempt_count_add+0x68/0xa0 tcp_v4_do_rcv+0xbd/0x270 __release_sock+0x6d/0xb0 release_sock+0x2b/0x90 sock_setsockopt+0x138/0x1140 ? __sys_getsockname+0x7e/0xc0 ? aa_sk_perm+0x3e/0x1a0 __sys_setsockopt+0x198/0x1e0 __x64_sys_setsockopt+0x21/0x30 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae "}], "lastModified": "2025-10-21T12:16:14.243", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4A2A9B69-3889-420C-8241-A21143513C14", "versionEndExcluding": "4.9.318", "versionStartIncluding": "3.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D6823775-2653-4644-A0D4-4E6E68F10C65", "versionEndExcluding": "4.14.283", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B8CFA0F4-2D75-41F4-9753-87944A08B53B", "versionEndExcluding": "4.19.247", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3EC49633-14DE-4EBD-BB80-76AE2E3EABB9", "versionEndExcluding": "5.4.198", "versionStartIncluding": "4.20"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1B42AA01-44D8-4572-95E6-FF8E374CF9C5", "versionEndExcluding": "5.10.122", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FC042EE3-4864-4325-BE0B-4BCDBF11AA61", "versionEndExcluding": "5.15.47", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "53E7AA2E-2FB4-45CA-A22B-08B4EDBB51AD", "versionEndExcluding": "5.17.15", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA6D643C-6D6A-4821-8A8D-B5776B8F0103", "versionEndExcluding": "5.18.4", "versionStartIncluding": "5.18"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}