CVE-2022-50643

In the Linux kernel's CIFS (SMB) client code, the function cifs_copy_file_range() is responsible for offloading file copy operations to the server via server-side copy. The vulnerability, CVE-2022-50643, is a memory leak of an xid (transaction ID) that occurs when the source file is determined to be a swap file. The function checks if the file is swap-backed early and returns -EOPNOTSUPP, but before that return the allocated xid must be freed with free_xid(). This cleanup was missing, leading to a leak [1].

To trigger this bug, an attacker would need to have access to a swap file on a CIFS mount and attempt to copy data from it. The prerequisite is that a user or process initiates a copy_file_range() operation with a source file that is used for swap. No special privileges beyond those needed to copy the file are required, though the system must have a Linux kernel version containing the flawed code (prior to the backported fix) [2].

The impact is limited to a slow, incremental exhaustion of transaction ID resources (CIDR-like integers) within the CIFS client. Over many such attempts, this could cause performance degradation or denial of service for legitimate CIFS operations, though the leak is small per occurrence and unlikely to be catastrophic in practice [1].

The vulnerability is fixed in the Linux kernel mainline and stable branches. The patch corrects the error path by adding free_xid() before return -EOPNOTSUPP. System administrators should apply the relevant stable updates (e.g., commit 27cfd3afaab0 for older stable versions) to prevent the leak [1][2].