CVE-2022-49209 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full
If tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc() returns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial memory has been alloced by sk_msg_alloc(), that is, msg_tx->sg.size is greater than osize after sk_msg_alloc(), memleak occurs. To fix we use sk_msg_trim() to release the allocated memory, then goto wait for memory.
Other call paths of sk_msg_alloc() have the similar issue, such as tls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(), as Cong Wang suggested.
This issue can cause the following info: WARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae
WARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 kthread+0xe6/0x110 ret_from_fork+0x22/0x30
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/17/2025
The vulnerability described in CVE-2022-49209 resides within the Linux kernel's implementation of Berkeley Packet Filter (BPF) and socket map functionality, specifically affecting the tcp_bpf_sendmsg() function. This flaw represents a memory leak condition that occurs under specific operational circumstances involving socket message allocation and handling. The issue manifests when tcp_bpf_sendmsg() attempts to send data through a socket while the socket's message buffer is already at capacity, creating a scenario where memory allocation fails but cleanup operations are incomplete.
The technical root cause stems from improper memory management within the socket message allocation pathway. When sk_msg_alloc() returns an -ENOMEM error due to insufficient memory, the tcp_bpf_sendmsg() function enters a wait_for_memory state. However, if partial memory allocation has already occurred, where msg_tx->sg.size exceeds the original size osize after sk_msg_alloc() completes, the allocated memory remains unreleased. This situation directly violates the memory management principles outlined in CWE-401, which addresses improper handling of memory allocation failures. The function fails to properly release previously allocated memory segments before proceeding to the memory wait state, leading to a memory leak that accumulates over time.
The operational impact of this vulnerability extends beyond simple memory consumption, potentially leading to system instability and performance degradation. The call trace demonstrates the cascading effects of this memory leak through the kernel's networking stack, particularly highlighting issues in inet_csk_destroy_sock and inet_sock_destruct functions. These memory leaks can accumulate during high-volume network operations, especially in environments where BPF programs are actively managing socket communications. The vulnerability affects systems running Linux kernel versions where the BPF socket map functionality is enabled, making it particularly concerning for network-intensive applications and services that rely heavily on kernel networking capabilities.
The fix implemented addresses the core memory management issue by introducing sk_msg_trim() functionality to properly release allocated memory segments before entering the wait_for_memory state. This solution aligns with the recommended approach suggested by Cong Wang and follows established kernel development practices for handling memory allocation failures. The patch extends this fix to other call paths within sk_msg_alloc() that exhibit similar vulnerabilities, such as tls_sw_sendmsg(), ensuring comprehensive coverage of the memory leak scenario. This approach directly addresses the ATT&CK technique T1484.001, which involves privilege escalation through kernel-level memory corruption, as the vulnerability could potentially be exploited to exhaust system memory resources. The mitigation strategy emphasizes proper resource cleanup and memory management within kernel networking subsystems, following security best practices for preventing resource exhaustion attacks that could lead to denial of service conditions.