CVE-2022-50003

18.06.2025, 11:15

In the Linux kernel, the following vulnerability has been resolved:

ice: xsk: prohibit usage of non-balanced queue id

Fix the following scenario:
1. ethtool -L $IFACE rx 8 tx 96
2. xdpsock -q 10 -t -z

Above refers to a case where user would like to attach XSK socket in
txonly mode at a queue id that does not have a corresponding Rx queue.
At this moment ice's XSK logic is tightly bound to act on a "queue pair",
e.g. both Tx and Rx queues at a given queue id are disabled/enabled and
both of them will get XSK pool assigned, which is broken for the presented
queue configuration. This results in the splat included at the bottom,
which is basically an OOB access to Rx ring array.

To fix this, allow using the ids only in scope of "combined" queues
reported by ethtool. However, logic should be rewritten to allow such
configurations later on, which would end up as a complete rewrite of the
control path, so let us go with this temporary fix.

[420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082
[420160.566359] #PF: supervisor read access in kernel mode
[420160.572657] #PF: error_code(0x0000) - not-present page
[420160.579002] PGD 0 P4D 0
[420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI
[420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G           OE     5.19.0-rc7+ #10
[420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[420160.609894] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice]
[420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 <0f> b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85
[420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282
[420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8
[420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000
[420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000
[420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a
[420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828
[420160.693211] FS:  00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000
[420160.703645] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0
[420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[420160.740707] PKRU: 55555554
[420160.745960] Call Trace:
[420160.750962]  <TASK>
[420160.755597]  ? kmalloc_large_node+0x79/0x90
[420160.762703]  ? __kmalloc_node+0x3f5/0x4b0
[420160.769341]  xp_assign_dev+0xfd/0x210
[420160.775661]  ? shmem_file_read_iter+0x29a/0x420
[420160.782896]  xsk_bind+0x152/0x490
[420160.788943]  __sys_bind+0xd0/0x100
[420160.795097]  ? exit_to_user_mode_prepare+0x20/0x120
[420160.802801]  __x64_sys_bind+0x16/0x20
[420160.809298]  do_syscall_64+0x38/0x90
[420160.815741]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[420160.823731] RIP: 0033:0x7fa86a0dd2fb
[420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48
[420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb
[420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003
[420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000
[420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0
[420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000
[420160.919817]  </TASK>
[420160.925659] Modules linked in: ice(OE) af_packet binfmt_misc
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	UNKNOWN				---
Linux	CNA	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Debian Releases

Debian Product

Codename

linux

bullseye	5.10.223-1 fixed
bullseye (security)	5.10.237-1 fixed
bookworm	6.1.137-1 fixed
bookworm (security)	6.1.140-1 fixed
trixie (security)	6.12.31-1 fixed
sid	6.12.32-1 fixed
trixie	6.12.32-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-allwinner-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-aws

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage

linux-aws-5.0

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-aws-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-aws-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-aws-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-aws-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-aws-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-aws-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-aws-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-aws-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-aws-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-aws-hwe

plucky	dne
oracular	dne
noble	dne
jammy	dne
xenial	needs-triage

linux-azure

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage
trusty	needs-triage

linux-azure-4.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-azure-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-azure-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-azure-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-azure-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-azure-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-azure-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-azure-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-azure-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-azure-edge

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-azure-fde

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	ignored

linux-azure-fde-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-azure-fde-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-azure-fde-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-azure-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-azure-nvidia

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-bluefield

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-gcp

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	ignored
xenial	needs-triage

linux-gcp-4.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-gcp-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-gcp-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-gcp-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-gcp-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-gcp-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gcp-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-gcp-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-gcp-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-gcp-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-gcp-fips

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage

linux-gke

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gke-4.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-gke-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gke-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-gkeop

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	ignored

linux-gkeop-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-gkeop-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-hwe

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored
xenial	needs-triage

linux-hwe-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-hwe-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-hwe-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-hwe-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-hwe-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-hwe-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-hwe-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-hwe-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-hwe-edge

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored
xenial	ignored

linux-ibm

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-ibm-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-ibm-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-intel-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-intel-iot-realtime

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-intel-iotg

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-intel-iotg-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-iot

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-kvm

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-lowlatency

plucky	dne
oracular	needs-triage
noble	needs-triage
jammy	needs-triage

linux-lowlatency-hwe-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-lowlatency-hwe-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-lowlatency-hwe-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-lowlatency-hwe-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-lowlatency-hwe-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-lowlatency-hwe-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-lts-xenial

plucky	dne
oracular	dne
noble	dne
jammy	dne
trusty	needs-triage

linux-nvidia

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage

linux-nvidia-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-nvidia-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-nvidia-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-nvidia-lowlatency

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-nvidia-tegra

plucky	dne
oracular	dne
noble	needs-triage
jammy	needs-triage

linux-nvidia-tegra-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-nvidia-tegra-igx

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-oem

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-oem-5.10

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.14

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-5.17

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-oem-5.6

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oem-6.0

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-oem-6.1

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-oem-6.11

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-oem-6.14

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-oem-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-oem-6.8

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-oracle

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage
bionic	needs-triage
xenial	needs-triage

linux-oracle-5.0

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-oracle-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.13

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-oracle-5.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	ignored

linux-oracle-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-oracle-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-oracle-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-oracle-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-raspi

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage
focal	needs-triage

linux-raspi-5.4

plucky	dne
oracular	dne
noble	dne
jammy	dne
bionic	needs-triage

linux-raspi-realtime

plucky	dne
oracular	dne
noble	needs-triage
jammy	dne

linux-raspi2

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-realtime

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	needs-triage

linux-riscv

plucky	needs-triage
oracular	needs-triage
noble	needs-triage
jammy	ignored
focal	ignored

linux-riscv-5.11

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-5.15

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	needs-triage

linux-riscv-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-riscv-5.8

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	ignored

linux-riscv-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-riscv-6.8

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage

linux-starfive-5.19

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-starfive-6.2

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-starfive-6.5

plucky	dne
oracular	dne
noble	dne
jammy	ignored

linux-xilinx-zynqmp

plucky	dne
oracular	dne
noble	dne
jammy	needs-triage
focal	needs-triage

References

https://git.kernel.org/stable/c/03a3f29fe5b1751ad9b5c892c894183e75a6e4c4

https://git.kernel.org/stable/c/1bfdcde723d8ceb2d73291b0415767e7c1cc1d8a

https://git.kernel.org/stable/c/5a42f112d367bb4700a8a41f5c12724fde6bfbb9

https://git.kernel.org/stable/c/fe76b3e674665ea4059337f8f66d20cdfb0168eb