CVE-2022-49877 in Linux
Summary
by MITRE • 05/01/2025
In the Linux kernel, the following vulnerability has been resolved:
bpf, sockmap: Fix the sk->sk_forward_alloc warning of sk_stream_kill_queues
When running `test_sockmap` selftests, the following warning appears:
WARNING: CPU: 2 PID: 197 at net/core/stream.c:205 sk_stream_kill_queues+0xd3/0xf0 Call Trace: <TASK> inet_csk_destroy_sock+0x55/0x110 tcp_rcv_state_process+0xd28/0x1380 ? tcp_v4_do_rcv+0x77/0x2c0 tcp_v4_do_rcv+0x77/0x2c0 __release_sock+0x106/0x130 __tcp_close+0x1a7/0x4e0 tcp_close+0x20/0x70 inet_release+0x3c/0x80 __sock_release+0x3a/0xb0 sock_close+0x14/0x20 __fput+0xa3/0x260 task_work_run+0x59/0xb0 exit_to_user_mode_prepare+0x1b3/0x1c0 syscall_exit_to_user_mode+0x19/0x50 do_syscall_64+0x48/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae
The root case is in commit 84472b436e76 ("bpf, sockmap: Fix more uncharged while msg has more_data"), where I used msg->sg.size to replace the tosend, causing breakage:
if (msg->apply_bytes && msg->apply_bytes < tosend) tosend = psock->apply_bytes;
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability CVE-2022-49877 represents a critical issue within the Linux kernel's socket mapping functionality, specifically affecting the BPF (Berkeley Packet Filter) subsystem and sockmap implementation. This flaw manifests as a warning message indicating improper handling of socket forward allocation during stream queue termination processes. The issue originates from a problematic code change in commit 84472b436e76 that altered how message size parameters are processed within the socket communication framework, creating a scenario where socket forward allocation tracking becomes inconsistent. The warning appears during normal socket closure operations when the kernel attempts to clean up stream queues, specifically in the sk_stream_kill_queues function located in net/core/stream.c at line 205.
The technical root cause of this vulnerability lies in the improper replacement of the tosend variable with msg->sg.size in the sockmap implementation. This change disrupts the expected flow of socket buffer management during TCP connection termination processes, leading to inconsistent tracking of socket forward allocation values. When the kernel processes TCP connection closures through the standard socket release path, including functions like inet_csk_destroy_sock, tcp_rcv_state_process, and tcp_close, it encounters a mismatch between expected and actual socket buffer states. The problematic code path demonstrates a failure to properly account for message size constraints when applying byte limits, causing the sk->sk_forward_alloc field to display warning conditions during normal socket cleanup operations.
The operational impact of this vulnerability extends beyond simple warning messages, potentially affecting system stability and network communication reliability within kernel space. During normal TCP connection termination scenarios, particularly when processing socket releases through inet_release and __sock_release functions, the kernel may experience inconsistent socket buffer state management. This inconsistency can lead to resource leakage, improper socket cleanup, and potential denial of service conditions affecting network services that rely heavily on BPF sockmap functionality. The vulnerability affects systems running Linux kernels with BPF sockmap support, particularly those utilizing socket mapping for network packet processing and filtering operations. The issue demonstrates characteristics consistent with CWE-121, which describes heap-based buffer overflow conditions, and may contribute to broader system instability through improper memory management during socket lifecycle operations.
Mitigation strategies for this vulnerability require immediate kernel updates to address the specific code modification that introduced the sockmap forward allocation issue. System administrators should prioritize applying security patches that revert or correct the problematic commit 84472b436e76, ensuring proper handling of message size parameters during socket operations. Organizations should implement monitoring for warning messages related to sk_stream_kill_queues and socket forward allocation, as these may indicate potential system instability. The fix involves restoring proper accounting of tosend variables and ensuring that message size constraints are handled appropriately during socket closure operations. Additionally, implementing comprehensive testing of BPF sockmap functionality, particularly during connection termination scenarios, can help identify and prevent similar issues in production environments. Security teams should consider this vulnerability as part of broader kernel security hardening efforts, particularly focusing on socket management and BPF subsystem integrity, aligning with ATT&CK techniques related to privilege escalation and system compromise through kernel vulnerabilities.