CVE-2022-49142 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
net: preserve skb_end_offset() in skb_unclone_keeptruesize()
syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1]
I was able to root cause the issue to kfence.
When kfence is in action, the following assertion is no longer true:
int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp);
if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2));
We attempted to fix these issues in the blamed commits, but forgot that TCP was possibly shifting data after skb_unclone_keeptruesize() has been used, notably from tcp_retrans_try_collapse().
So we not only need to keep same skb->truesize value, we also need to make sure TCP wont fill new tailroom that pskb_expand_head() was able to get from a addr = kmalloc(...) followed by ksize(addr)
Split skb_unclone_keeptruesize() into two parts:
1) Inline skb_unclone_keeptruesize() for the common case, when skb is not cloned.
2) Out of line __skb_unclone_keeptruesize() for the 'slow path'.
WARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Modules linked in: CPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa RSP: 0018:ffffc900063af268 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000 RDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003 RBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000 R10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8 R13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155 FS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline]
tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630 tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914 tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025 tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947 tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719 sk_backlog_rcv include/net/sock.h:1037 [inline]
__release_sock+0x134/0x3b0 net/core/sock.c:2779 release_sock+0x54/0x1b0 net/core/sock.c:3311 sk_wait_data+0x177/0x450 net/core/sock.c:2821 tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457 tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572 inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850 sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
sock_recvmsg net/socket.c:962 [inline]
____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 12/12/2025
The vulnerability described in CVE-2022-49142 affects the Linux kernel networking subsystem and stems from a flaw in how socket buffer (skb) cloning and memory management interact, particularly when kfence memory debugging is enabled. This issue manifests as a kernel warning triggered by a failed assertion in the skb_try_coalesce() function, which is part of the network core's packet handling logic. The root cause lies in improper handling of skb->truesize values during the uncloning process, specifically when TCP operations attempt to manipulate packet data after skb_unclone_keeptruesize() has been invoked. The vulnerability was identified through syzbot, an automated fuzzer, and is classified under CWE-129, which relates to improper validation of array indices, as the kernel's memory management becomes inconsistent when dealing with cloned packet buffers. The problem becomes apparent when kfence is active, where the assertion that ksize() returns consistent values for allocations of the same size no longer holds true, disrupting the expected memory layout and causing memory corruption scenarios.
The technical flaw occurs because the skb_unclone_keeptruesize() function was not adequately accounting for the fact that TCP code paths such as tcp_retrans_try_collapse() may shift data after the uncloning operation. This leads to a scenario where the original skb->truesize value is preserved, but TCP can still fill newly allocated tailroom that was previously obtained through pskb_expand_head() calls. The fix implemented involves splitting the skb_unclone_keeptruesize() function into two distinct parts to handle both common and edge cases efficiently. The common path is inlined for performance, while the more complex 'slow path' is handled by a separate out-of-line function. This approach ensures that when an skb is not cloned, the operation can proceed efficiently, but when cloning is involved, the system properly handles the additional complexity without corrupting memory structures. The fix directly addresses the kernel warning that occurs at net/core/skbuff.c:5295 in the skb_try_coalesce() function, which is part of the TCP input processing pipeline and is critical for maintaining network packet integrity. The vulnerability is particularly dangerous because it can lead to memory corruption that may be exploited to escalate privileges or cause system crashes, making it a high-severity issue in kernel security.
The operational impact of this vulnerability is significant for systems running Linux kernels with networking workloads, especially those utilizing TCP connections or memory debugging features like kfence. When triggered, the vulnerability causes kernel panics through the WARN_ON_ONCE assertion failure, leading to system instability and potential denial of service. The issue affects TCP retransmission handling and packet coalescing operations, which are fundamental to network performance and reliability. Systems with memory debugging enabled or under heavy TCP traffic are most susceptible to exploitation, as the timing and memory layout issues become more pronounced. The vulnerability also impacts the broader network stack since it affects the core packet buffer management that underpins all network operations. The ATT&CK framework would categorize this under T1068, which involves exploitation of a remote service, and T1547, which involves boot or logon process manipulation, as successful exploitation could allow for privilege escalation or system compromise. Organizations using Linux-based systems in production environments should prioritize patching this vulnerability, particularly those running kernel versions that include the affected code paths.
The mitigation strategy for CVE-2022-49142 centers on applying the kernel patch that splits the skb_unclone_keeptruesize() function into inline and out-of-line components. This ensures that the truesize value is properly maintained during uncloning operations while preventing TCP code paths from corrupting the memory layout. System administrators should update to kernel versions that include this fix, which typically means upgrading to kernel versions 5.18 or later where the vulnerability has been addressed. For systems where kernel updates are not immediately possible, monitoring for kernel warnings related to skb_try_coalesce and tcp_retrans_try_collapse operations can help detect potential exploitation attempts. The fix also includes improved memory management practices that prevent the specific assertion failure that was triggering the kernel panic. Organizations should also consider disabling kfence in production environments if it's not actively being used for debugging purposes, as this feature was instrumental in exposing the vulnerability. Network monitoring tools should be configured to alert on unusual TCP retransmission patterns or kernel memory warnings that might indicate exploitation attempts. The vulnerability highlights the importance of thorough testing of memory management operations in kernel space, particularly when debugging features like kfence are enabled, as these can expose latent race conditions and memory corruption issues that would not normally manifest under normal operating conditions.