CVE-2022-50003

EUVD-2022-55282

18.06.2025, 11:15

In the Linux kernel, the following vulnerability has been resolved:

ice: xsk: prohibit usage of non-balanced queue id

Fix the following scenario:
1. ethtool -L $IFACE rx 8 tx 96
2. xdpsock -q 10 -t -z

Above refers to a case where user would like to attach XSK socket in
txonly mode at a queue id that does not have a corresponding Rx queue.
At this moment ice's XSK logic is tightly bound to act on a "queue pair",
e.g. both Tx and Rx queues at a given queue id are disabled/enabled and
both of them will get XSK pool assigned, which is broken for the presented
queue configuration. This results in the splat included at the bottom,
which is basically an OOB access to Rx ring array.

To fix this, allow using the ids only in scope of "combined" queues
reported by ethtool. However, logic should be rewritten to allow such
configurations later on, which would end up as a complete rewrite of the
control path, so let us go with this temporary fix.

[420160.558008] BUG: kernel NULL pointer dereference, address: 0000000000000082
[420160.566359] #PF: supervisor read access in kernel mode
[420160.572657] #PF: error_code(0x0000) - not-present page
[420160.579002] PGD 0 P4D 0
[420160.582756] Oops: 0000 [#1] PREEMPT SMP NOPTI
[420160.588396] CPU: 10 PID: 21232 Comm: xdpsock Tainted: G           OE     5.19.0-rc7+ #10
[420160.597893] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019
[420160.609894] RIP: 0010:ice_xsk_pool_setup+0x44/0x7d0 [ice]
[420160.616968] Code: f3 48 83 ec 40 48 8b 4f 20 48 8b 3f 65 48 8b 04 25 28 00 00 00 48 89 44 24 38 31 c0 48 8d 04 ed 00 00 00 00 48 01 c1 48 8b 11 <0f> b7 92 82 00 00 00 48 85 d2 0f 84 2d 75 00 00 48 8d 72 ff 48 85
[420160.639421] RSP: 0018:ffffc9002d2afd48 EFLAGS: 00010282
[420160.646650] RAX: 0000000000000050 RBX: ffff88811d8bdd00 RCX: ffff888112c14ff8
[420160.655893] RDX: 0000000000000000 RSI: ffff88811d8bdd00 RDI: ffff888109861000
[420160.665166] RBP: 000000000000000a R08: 000000000000000a R09: 0000000000000000
[420160.674493] R10: 000000000000889f R11: 0000000000000000 R12: 000000000000000a
[420160.683833] R13: 000000000000000a R14: 0000000000000000 R15: ffff888117611828
[420160.693211] FS:  00007fa869fc1f80(0000) GS:ffff8897e0880000(0000) knlGS:0000000000000000
[420160.703645] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[420160.711783] CR2: 0000000000000082 CR3: 00000001d076c001 CR4: 00000000007706e0
[420160.721399] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[420160.731045] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[420160.740707] PKRU: 55555554
[420160.745960] Call Trace:
[420160.750962]  <TASK>
[420160.755597]  ? kmalloc_large_node+0x79/0x90
[420160.762703]  ? __kmalloc_node+0x3f5/0x4b0
[420160.769341]  xp_assign_dev+0xfd/0x210
[420160.775661]  ? shmem_file_read_iter+0x29a/0x420
[420160.782896]  xsk_bind+0x152/0x490
[420160.788943]  __sys_bind+0xd0/0x100
[420160.795097]  ? exit_to_user_mode_prepare+0x20/0x120
[420160.802801]  __x64_sys_bind+0x16/0x20
[420160.809298]  do_syscall_64+0x38/0x90
[420160.815741]  entry_SYSCALL_64_after_hwframe+0x63/0xcd
[420160.823731] RIP: 0033:0x7fa86a0dd2fb
[420160.830264] Code: c3 66 0f 1f 44 00 00 48 8b 15 69 8b 0c 00 f7 d8 64 89 02 b8 ff ff ff ff eb bc 0f 1f 44 00 00 f3 0f 1e fa b8 31 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3d 8b 0c 00 f7 d8 64 89 01 48
[420160.855410] RSP: 002b:00007ffc1146f618 EFLAGS: 00000246 ORIG_RAX: 0000000000000031
[420160.866366] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa86a0dd2fb
[420160.876957] RDX: 0000000000000010 RSI: 00007ffc1146f680 RDI: 0000000000000003
[420160.887604] RBP: 000055d7113a0520 R08: 00007fa868fb8000 R09: 0000000080000000
[420160.898293] R10: 0000000000008001 R11: 0000000000000246 R12: 000055d7113a04e0
[420160.909038] R13: 000055d7113a0320 R14: 000000000000000a R15: 0000000000000000
[420160.919817]  </TASK>
[420160.925659] Modules linked in: ice(OE) af_packet binfmt_misc
---truncated---

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.5 MEDIUM	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 5%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	5.5 ≤ 𝑥 < 5.10.140
linux	linux_kernel	5.11 ≤ 𝑥 < 5.15.64
linux	linux_kernel	5.16 ≤ 𝑥 < 5.19.6
linux	linux_kernel	6.0:rc1
linux	linux_kernel	6.0:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.137-1 fixed
bookworm (security)	6.1.140-1 fixed
bullseye	5.10.223-1 fixed
bullseye (security)	5.10.237-1 fixed
sid	6.12.32-1 fixed
trixie	6.12.32-1 fixed
trixie (security)	6.12.31-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-allwinner-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-aws-5.0

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-aws-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-aws-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-aws-hwe

jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-azure

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
trusty	needs-triage
xenial	needs-triage

linux-azure-4.15

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-azure-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-edge

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde

focal	ignored
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fde-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-azure-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-azure-nvidia

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-bluefield

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-gcp

bionic	ignored
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-gcp-4.15

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-gcp-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-gcp-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gcp-fips

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-gke

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gke-4.15

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gke-5.4

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop

focal	ignored
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-gkeop-5.15

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-gkeop-5.4

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-hwe-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-hwe-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-hwe-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-hwe-edge

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne
xenial	ignored

linux-ibm

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-ibm-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-ibm-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-intel-iot-realtime

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-intel-iotg-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-iot

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-kvm

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne
xenial	needs-triage

linux-lowlatency

jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	dne

linux-lowlatency-hwe-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-lowlatency-hwe-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-lts-xenial

jammy	dne
noble	dne
oracular	dne
plucky	dne
trusty	needs-triage

linux-nvidia

jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-nvidia-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-nvidia-lowlatency

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra

jammy	needs-triage
noble	needs-triage
oracular	dne
plucky	dne

linux-nvidia-tegra-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-nvidia-tegra-igx

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-oem

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.10

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.14

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-5.17

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-5.6

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oem-6.0

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.1

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.11

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.14

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oem-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oem-6.8

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-oracle

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage
xenial	needs-triage

linux-oracle-5.0

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.13

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.3

bionic	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-oracle-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-raspi

focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-raspi-5.4

bionic	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-raspi-realtime

jammy	dne
noble	needs-triage
oracular	dne
plucky	dne

linux-raspi2

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-realtime

jammy	needs-triage
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv

focal	ignored
jammy	ignored
noble	needs-triage
oracular	needs-triage
plucky	needs-triage

linux-riscv-5.11

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.15

focal	needs-triage
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-5.8

focal	ignored
jammy	dne
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-riscv-6.8

jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

linux-starfive-5.19

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.2

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-starfive-6.5

jammy	ignored
noble	dne
oracular	dne
plucky	dne

linux-xilinx-zynqmp

focal	needs-triage
jammy	needs-triage
noble	dne
oracular	dne
plucky	dne

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://git.kernel.org/stable/c/03a3f29fe5b1751ad9b5c892c894183e75a6e4c4

https://git.kernel.org/stable/c/1bfdcde723d8ceb2d73291b0415767e7c1cc1d8a

https://git.kernel.org/stable/c/5a42f112d367bb4700a8a41f5c12724fde6bfbb9

https://git.kernel.org/stable/c/fe76b3e674665ea4059337f8f66d20cdfb0168eb