{"id":"CVE-2022-49142","summary":"net: preserve skb_end_offset() in skb_unclone_keeptruesize()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: preserve skb_end_offset() in skb_unclone_keeptruesize()\n\nsyzbot found another way to trigger the infamous WARN_ON_ONCE(delta \u003c len)\nin skb_try_coalesce() [1]\n\nI was able to root cause the issue to kfence.\n\nWhen kfence is in action, the following assertion is no longer true:\n\nint size = xxxx;\nvoid *ptr1 = kmalloc(size, gfp);\nvoid *ptr2 = kmalloc(size, gfp);\n\nif (ptr1 && ptr2)\n\tASSERT(ksize(ptr1) == ksize(ptr2));\n\nWe attempted to fix these issues in the blamed commits, but forgot\nthat TCP was possibly shifting data after skb_unclone_keeptruesize()\nhas been used, notably from tcp_retrans_try_collapse().\n\nSo we not only need to keep same skb-\u003etruesize value,\nwe also need to make sure TCP wont fill new tailroom\nthat pskb_expand_head() was able to get from a\naddr = kmalloc(...) followed by ksize(addr)\n\nSplit skb_unclone_keeptruesize() into two parts:\n\n1) Inline skb_unclone_keeptruesize() for the common case,\n   when skb is not cloned.\n\n2) Out of line __skb_unclone_keeptruesize() for the 'slow path'.\n\nWARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295\nModules linked in:\nCPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295\nCode: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa \u003c0f\u003e 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa\nRSP: 0018:ffffc900063af268 EFLAGS: 00010293\nRAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000\nRDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003\nRBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000\nR10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8\nR13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155\nFS:  00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline]\n tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630\n tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914\n tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025\n tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947\n tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719\n sk_backlog_rcv include/net/sock.h:1037 [inline]\n __release_sock+0x134/0x3b0 net/core/sock.c:2779\n release_sock+0x54/0x1b0 net/core/sock.c:3311\n sk_wait_data+0x177/0x450 net/core/sock.c:2821\n tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457\n tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572\n inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850\n sock_recvmsg_nosec net/socket.c:948 [inline]\n sock_recvmsg net/socket.c:966 [inline]\n sock_recvmsg net/socket.c:962 [inline]\n ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632\n ___sys_recvmsg+0x127/0x200 net/socket.c:2674\n __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae","modified":"2026-04-02T08:27:19.946672Z","published":"2025-02-26T01:55:12.823Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49142.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/23629b673b780d967b88a850b1518cf0f0ffc6aa"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2b88cba55883eaafbc9b7cbff0b2c7cdba71ed01"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a903e516f5df44b46d526b403d93e7be1a425538"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a9a6d30264327d8ff7f23da33e7a77ffb793fa3f"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49142.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49142"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"097b9146c0e26aabaa6ff3e5ea536a53f5254a79"},{"fixed":"23629b673b780d967b88a850b1518cf0f0ffc6aa"},{"fixed":"a9a6d30264327d8ff7f23da33e7a77ffb793fa3f"},{"fixed":"a903e516f5df44b46d526b403d93e7be1a425538"},{"fixed":"2b88cba55883eaafbc9b7cbff0b2c7cdba71ed01"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"7118945cdf0d4b5a76eb4f5f330ac6f48d372025"},{"last_affected":"ec697f7f3f6a89d4dd1af113587d0330b5a033e8"},{"last_affected":"7582edf28f5d1f0a4d2f7abdb7d9560d09fd41b5"},{"last_affected":"5d55a6a46a7f70bc1d270c50200edd3096cb380c"},{"last_affected":"e6af7cb64b7b37b8a371acdbe33a636496ffb5a4"},{"last_affected":"97ff09a7ed484fef2b1bbc103857444b7332fca8"},{"last_affected":"bf5a58d143d7899d2c89e585be6e98ec81fe9683"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49142.json"}}],"schema_version":"1.7.5"}