Fixed
Created: Jun 18, 2025
Updated: Sep 1, 2025
Resolved Date: Jun 19, 2025
Found In Version: 10.25.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]skmsg: Fix wrong last sg check in sk_msg_recvmsg()[EOL][EOL]Fix one kernel NULL pointer dereference as below:[EOL][EOL][ 224.462334] Call Trace:[EOL][ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380[EOL][ 224.462441] ? sock_has_perm+0x78/0xa0[EOL][ 224.462463] tcp_bpf_recvmsg+0x12e/0x220[EOL][ 224.462494] inet_recvmsg+0x5b/0xd0[EOL][ 224.462534] __sys_recvfrom+0xc8/0x130[EOL][ 224.462574] ? syscall_trace_enter+0x1df/0x2e0[EOL][ 224.462606] ? __do_page_fault+0x2de/0x500[EOL][ 224.462635] __x64_sys_recvfrom+0x24/0x30[EOL][ 224.462660] do_syscall_64+0x5d/0x1d0[EOL][ 224.462709] entry_SYSCALL_64_after_hwframe+0x65/0xca[EOL][EOL]In commit 9974d37ea75f ("skmsg: Fix invalid last sg check in[EOL]sk_msg_recvmsg()"), we change last sg check to sg_is_last(),[EOL]but in sockmap redirection case (without stream_parser/stream_verdict/[EOL]skb_verdict), we did not mark the end of the scatterlist. Check the[EOL]sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all[EOL]do not mark the end of sg. They are expected to use sg.end for end[EOL]judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.
CREATE(Triage):(User=lchen-cn) [CVE-2022-49973 (https://nvd.nist.gov/vuln/detail/CVE-2022-49973)
