CVE-2022-50129 in Linux
Summary
by MITRE • 06/18/2025
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srpt: Fix a use-after-free
Change the LIO port members inside struct srpt_port from regular members into pointers. Allocate the LIO port data structures from inside srpt_make_tport() and free these from inside srpt_make_tport(). Keep struct srpt_device as long as either an RDMA port or a LIO target port is associated with it. This patch decouples the lifetime of struct srpt_port (controlled by the RDMA core) and struct srpt_port_id (controlled by LIO). This patch fixes the following KASAN complaint:
BUG: KASAN: use-after-free in srpt_enable_tpg+0x31/0x70 [ib_srpt]
Read of size 8 at addr ffff888141cc34b8 by task check/5093
Call Trace: <TASK> show_stack+0x4e/0x53 dump_stack_lvl+0x51/0x66 print_address_description.constprop.0.cold+0xea/0x41e print_report.cold+0x90/0x205 kasan_report+0xb9/0xf0 __asan_load8+0x69/0x90 srpt_enable_tpg+0x31/0x70 [ib_srpt]
target_fabric_tpg_base_enable_store+0xe2/0x140 [target_core_mod]
configfs_write_iter+0x18b/0x210 new_sync_write+0x1f2/0x2f0 vfs_write+0x3e3/0x540 ksys_write+0xbb/0x140 __x64_sys_write+0x42/0x50 do_syscall_64+0x34/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 </TASK>
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 12/01/2025
The vulnerability CVE-2022-50129 represents a critical use-after-free condition within the Linux kernel's RDMA software target driver implementation. This flaw exists in the ib_srpt module which provides software target functionality for RDMA over Ethernet connections. The issue stems from improper management of memory lifetimes between different kernel data structures that are part of the storage target infrastructure. The vulnerability manifests when the kernel attempts to access memory that has already been freed, leading to potential system instability or privilege escalation.
The technical root cause of this vulnerability lies in the improper coupling of two distinct data structure lifetimes within the srpt subsystem. Specifically, the struct srpt_port members that reference LIO port data structures were implemented as regular members rather than pointers, creating a dependency where the lifetime of these structures was not properly managed. This design flaw allowed for scenarios where the LIO port data structures could be freed by one component while another component still maintained references to them. The kernel's KASAN (Kernel Address Sanitizer) detected this issue during the srpt_enable_tpg function execution, where a read operation attempted to access memory at address ffff888141cc34b8 that had already been freed.
This vulnerability directly relates to CWE-416, which describes the use-after-free weakness in software systems. The flaw demonstrates how improper memory management can create dangerous conditions in kernel space where freed memory can be accessed by subsequent operations. The operational impact of this vulnerability extends beyond simple system crashes, as it could potentially be exploited by malicious actors to gain unauthorized access to kernel memory spaces or to execute arbitrary code with kernel privileges. The vulnerability affects systems running Linux kernels with RDMA capabilities, particularly those implementing software target functionality through the ib_srpt driver.
The patch addressing this vulnerability implements a fundamental restructuring of how memory is allocated and managed within the srpt subsystem. The solution involves changing the LIO port members in struct srpt_port from regular members to pointers, allowing for more granular control over their allocation and deallocation. The srpt_make_tport() function now handles the allocation and freeing of LIO port data structures directly, ensuring proper lifecycle management. Additionally, the patch modifies the struct srpt_device to maintain its existence as long as either an RDMA port or a LIO target port remains associated with it. This approach effectively decouples the lifetime management of struct srpt_port and struct srpt_port_id, which were previously tightly coupled and causing the memory access violations.
From an ATT&CK perspective, this vulnerability could be leveraged as part of a privilege escalation technique, potentially mapping to T1068 (Local Privilege Escalation) or T1547 (Boot or Logon Autostart Execution) if exploited in conjunction with other attack vectors. The patch implementation follows security best practices by ensuring proper memory lifecycle management and by reducing the attack surface through better abstraction of data structure dependencies. Organizations should prioritize patching systems running affected Linux kernel versions, particularly those implementing RDMA storage targets. The mitigation strategy involves applying the kernel patch that properly manages the relationship between RDMA and LIO port lifecycles, ensuring that memory allocated for one component cannot be accessed after it has been freed by another component. This fix represents a defensive programming approach that prevents the conditions leading to use-after-free vulnerabilities in kernel space operations.