CVE-2022-50531
MEDIUMCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
In the Linux kernel, the following vulnerability has been resolved: tipc: fix an information leak in tipc_topsrv_kern_subscr Use a 8-byte write to initialize sub.usr_handle in tipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized when issuing setsockopt(..., SOL_TIPC, ...). This resulted in an infoleak reported by KMSAN when the packet was received: ===================================================== BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169 instrument_copy_to_user ./include/linux/instrumented.h:121 copyout+0xbc/0x100 lib/iov_iter.c:169 _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527 copy_to_iter ./include/linux/uio.h:176 simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513 __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419 skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527 skb_copy_datagram_msg ./include/linux/skbuff.h:3903 packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469 ____sys_recvmsg+0x2c4/0x810 net/socket.c:? ___sys_recvmsg+0x217/0x840 net/socket.c:2743 __sys_recvmsg net/socket.c:2773 __do_sys_recvmsg net/socket.c:2783 __se_sys_recvmsg net/socket.c:2780 __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780 do_syscall_x64 arch/x86/entry/common.c:50 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120 ... Uninit was stored to memory at: tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156 tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375 tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579 tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190 tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084 tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201 __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252 __do_sys_setsockopt net/socket.c:2263 __se_sys_setsockopt net/socket.c:2260 __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260 do_syscall_x64 arch/x86/entry/common.c:50 do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120 Local variable sub created at: tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562 tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190 Bytes 84-87 of 88 are uninitialized Memory access of size 88 starts at ffff88801ed57cd0 Data copied to user address 0000000020000400 ... =====================================================
Analysis
An information leak vulnerability exists in the Linux kernel's TIPC (Transparent Inter-Process Communication) subsystem within the tipc_topsrv_kern_subscr() function. The vulnerability occurs due to incomplete initialization of the sub.usr_handle field, leaving four bytes uninitialized when setsockopt() is called with SOL_TIPC options, allowing kernel memory contents to be leaked to user space. This affects Linux kernel versions including 6.1-rc1 and potentially others; while the EPSS score is extremely low at 0.01% percentile, the vulnerability requires local access and low privileges to trigger, making it a lower-priority but real information disclosure issue that has been patched by multiple vendors.
Technical Context
The vulnerability resides in the TIPC protocol implementation within the Linux kernel's network stack, specifically in net/tipc/topsrv.c. TIPC is an inter-node communication protocol designed for high-availability clusters. The flaw stems from improper initialization of a subscription structure (sub) declared on the stack in tipc_topsrv_kern_subscr(). The function uses a 4-byte write (partial initialization) rather than an 8-byte write to set sub.usr_handle, leaving the remaining four bytes of an 88-byte structure uninitialized. When this structure is subsequently passed through the subscription path via tipc_sub_subscribe() and eventually copied to user space during packet reception, KMSAN (Kernel Memory Sanitizer) detects the information leak. The root cause is classified as CWE-401 (Uninitialized Variable / Memory Access), which is a class of vulnerabilities where uninitialized memory containing sensitive kernel data is exposed to unprivileged users.
Affected Products
The Linux kernel is the sole affected product, with confirmed impact on version 6.1-rc1 and likely earlier and contemporary stable branches including 5.x and 6.0 series based on the kernel subsystem involved. The CPE cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:* explicitly lists 6.1-rc1 as affected. Kernel versions prior to the fix commits (3d1b83ff7b6575a4e41283203e6b2e25ea700cd7 and related stable commits 567f8de358b, 777ecaabd614, dbc01c0a4e2, e558e148938, fef70f978bc) are vulnerable. Distributions shipping these kernel versions (RHEL, Ubuntu, Debian, Fedora, SUSE, etc.) in affected release cycles are indirectly impacted, though the vulnerability only affects systems with TIPC protocol enabled and users with socket-level access to create subscriptions.
Remediation
Apply the kernel patch immediately by upgrading to a patched kernel version containing one of the six fix commits identified in the stable tree (3d1b83ff7b6575a4e41283203e6b2e25ea700cd7 for mainline, and corresponding stable commits 567f8de358b, 777ecaabd614, dbc01c0a4e2, e558e148938, or fef70f978bc for stable branches). Check your distribution's security advisory (RHEL, Ubuntu, Debian, SUSE, etc.) for the specific kernel update containing this fix—most major distributions have backported this patch to their supported kernel versions. For interim mitigation on systems where immediate kernel updates are not feasible, disable TIPC protocol if not required by setting CONFIG_TIPC=n at compile time, or use AppArmor/SELinux policies to restrict access to TIPC sockets for unprivileged users. Verify patch application by checking kernel source history or release notes for your distribution's kernel version.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today