CVE-2022-50569

In the Linux kernel, the following vulnerability has been resolved:

xfrm: Update ipcomp_scratches with NULL when freed

Currently if ipcomp_alloc_scratches() fails to allocate memory
ipcomp_scratches holds obsolete address. So when we try to free the
percpu scratches using ipcomp_free_scratches() it tries to vfree non
existent vm area. Described below:

static void * __percpu *ipcomp_alloc_scratches(void)
{
        ...
        scratches = alloc_percpu(void *);
        if (!scratches)
                return NULL;
ipcomp_scratches does not know about this allocation failure.
Therefore holding the old obsolete address.
        ...
}

So when we free,

static void ipcomp_free_scratches(void)
{
        ...
        scratches = ipcomp_scratches;
Assigning obsolete address from ipcomp_scratches

        if (!scratches)
                return;

        for_each_possible_cpu(i)
               vfree(*per_cpu_ptr(scratches, i));
Trying to free non existent page, causing warning: trying to vfree
existent vm area.
        ...
}

Fix this breakage by updating ipcomp_scrtches with NULL when scratches
is freed
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
LinuxCNA
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 12%
Debian logo
Debian Releases
Debian Product
Codename
linux
bullseye
5.10.223-1
fixed
bullseye (security)
5.10.244-1
fixed
bookworm
6.1.148-1
fixed
bookworm (security)
6.1.153-1
fixed
trixie
6.12.43-1
fixed
trixie (security)
6.12.48-1
fixed
forky
6.16.9-1
fixed
sid
6.16.12-2
fixed
References
https://git.kernel.org/stable/c/03155680191ef0f004b1d6a5714c5b8cd271ab61
https://git.kernel.org/stable/c/18373ed500f7cd53e24d9b0bd0f1c09d78dba87e
https://git.kernel.org/stable/c/1e8abde895b3ac6a368cbdb372e8800c49e73a28
https://git.kernel.org/stable/c/2c19945ce8095d065df550e7fe350cd5cc40c6e6
https://git.kernel.org/stable/c/8a04d2fc700f717104bfb95b0f6694e448a4537f
https://git.kernel.org/stable/c/a39f456d62810c0efb43cead22f98d95b53e4b1a
https://git.kernel.org/stable/c/be81c44242b20fc3bdcc73480ef8aaee56f5d0b6
https://git.kernel.org/stable/c/debca61df6bc2f65e020656c9c5b878d6b38d30f
https://git.kernel.org/stable/c/f3bdba4440d82e0da2b1bfc35d3836c8a8e00677