CVE-2022-50253 (GCVE-0-2022-50253)

Vulnerability from cvelistv5 – Published: 2025-09-15 14:02 – Updated: 2025-12-23 13:27
VLAI?
Title
bpf: make sure skb->len != 0 when redirecting to a tunneling device
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: make sure skb->len != 0 when redirecting to a tunneling device syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx_skb net/core/filter.c:2115 [inline] __bpf_redirect_no_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpf_clone_redirect net/core/filter.c:2447 [inline] bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 bpf_prog_48159a89cb4a9a16+0x59/0x5e bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] __bpf_prog_run include/linux/filter.h:596 [inline] bpf_prog_run include/linux/filter.h:603 [inline] bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x61/0xc6 The reproducer doesn't really reproduce outside of syzkaller environment, so I'm taking a guess here. It looks like we do generate correct ETH_HLEN-sized packet, but we redirect the packet to the tunneling device. Before we do so, we __skb_pull l2 header and arrive again at skb->len == 0. Doesn't seem like we can do anything better than having an explicit check after __skb_pull?
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < ffbccc5fb0a67424e12f7f8da210c04c8063f797 (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < e6a63203e5a90a39392fa1a7ffc60f5e9baf642a (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 772431f30ca040cfbf31b791d468bac6a9ca74d3 (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 6d935a02658be82585ecb39aab339faa84496650 (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5 (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 1b65704b8c08ae92db29f720d3b298031131da53 (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < f186303845a01cc7e991f9dc51d7e5a3cdc7aedb (git)
Affected: 4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d , < 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca (git)
Create a notification for this product.
    Linux Linux Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 4.14.303 , ≤ 4.14.* (semver)
Unaffected: 4.19.270 , ≤ 4.19.* (semver)
Unaffected: 5.4.229 , ≤ 5.4.* (semver)
Unaffected: 5.10.163 , ≤ 5.10.* (semver)
Unaffected: 5.15.86 , ≤ 5.15.* (semver)
Unaffected: 6.0.16 , ≤ 6.0.* (semver)
Unaffected: 6.1.2 , ≤ 6.1.* (semver)
Unaffected: 6.2 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ffbccc5fb0a67424e12f7f8da210c04c8063f797",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "e6a63203e5a90a39392fa1a7ffc60f5e9baf642a",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "772431f30ca040cfbf31b791d468bac6a9ca74d3",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "6d935a02658be82585ecb39aab339faa84496650",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "1b65704b8c08ae92db29f720d3b298031131da53",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "f186303845a01cc7e991f9dc51d7e5a3cdc7aedb",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            },
            {
              "lessThan": "07ec7b502800ba9f7b8b15cb01dd6556bb41aaca",
              "status": "affected",
              "version": "4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.303",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.270",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.229",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.163",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.0.*",
              "status": "unaffected",
              "version": "6.0.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.2",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.303",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.270",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.229",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.163",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.86",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0.16",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.2",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.2",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device\n\nsyzkaller managed to trigger another case where skb-\u003elen == 0\nwhen we enter __dev_queue_xmit:\n\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline]\nWARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295\n\nCall Trace:\n dev_queue_xmit+0x17/0x20 net/core/dev.c:4406\n __bpf_tx_skb net/core/filter.c:2115 [inline]\n __bpf_redirect_no_mac net/core/filter.c:2140 [inline]\n __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163\n ____bpf_clone_redirect net/core/filter.c:2447 [inline]\n bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419\n bpf_prog_48159a89cb4a9a16+0x59/0x5e\n bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline]\n __bpf_prog_run include/linux/filter.h:596 [inline]\n bpf_prog_run include/linux/filter.h:603 [inline]\n bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402\n bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170\n bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648\n __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005\n __do_sys_bpf kernel/bpf/syscall.c:5091 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5089 [inline]\n __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089\n do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48\n entry_SYSCALL_64_after_hwframe+0x61/0xc6\n\nThe reproducer doesn\u0027t really reproduce outside of syzkaller\nenvironment, so I\u0027m taking a guess here. It looks like we\ndo generate correct ETH_HLEN-sized packet, but we redirect\nthe packet to the tunneling device. Before we do so, we\n__skb_pull l2 header and arrive again at skb-\u003elen == 0.\nDoesn\u0027t seem like we can do anything better than having\nan explicit check after __skb_pull?"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-23T13:27:37.407Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6a63203e5a90a39392fa1a7ffc60f5e9baf642a"
        },
        {
          "url": "https://git.kernel.org/stable/c/772431f30ca040cfbf31b791d468bac6a9ca74d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d935a02658be82585ecb39aab339faa84496650"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d3f4478d22b2cb1810f6fe0f797411e9d87b3e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b65704b8c08ae92db29f720d3b298031131da53"
        },
        {
          "url": "https://git.kernel.org/stable/c/f186303845a01cc7e991f9dc51d7e5a3cdc7aedb"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ec7b502800ba9f7b8b15cb01dd6556bb41aaca"
        }
      ],
      "title": "bpf: make sure skb-\u003elen != 0 when redirecting to a tunneling device",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-50253",
    "datePublished": "2025-09-15T14:02:34.849Z",
    "dateReserved": "2025-09-15T13:58:00.973Z",
    "dateUpdated": "2025-12-23T13:27:37.407Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.