CVE-2022-50655

Vulnerability

Overview

In the Linux kernel's PPP (Point-to-Point Protocol) driver, the function ppp_send_frame transmits packets without associating the socket buffer (skb) with a network device or a socket. This causes the flow dissector to issue a warning when it attempts to determine the packet's network namespace, as it expects either a device or a socket to be set. The issue was discovered by syzkaller and manifests as a kernel warning at __skb_flow_dissect in net/core/flow_dissector.c [1].

Exploitation

Conditions

An attacker with local access and the ability to create a PPP unit and send crafted packets via the PPPIOCSACTIVE ioctl and pwritev system call can trigger the warning. No special privileges beyond the ability to open a PPP device are required, making the attack surface accessible to unprivileged users in many configurations. The warning is triggered during the transmit path when the flow dissector is invoked, for example by a BPF program attached to the socket.

Impact

The primary impact is a kernel warning that can flood system logs and, under certain conditions, lead to a denial of service if the warning is treated as a panic or if repeated warnings degrade performance. The warning itself does not directly corrupt memory, but it indicates a violation of kernel assumptions that could be leveraged in more complex exploits.

Mitigation

The fix, committed as 7da524781c53 and backported to stable kernels as 9f225444467b, ensures that ppp_send_frame manually sets the skb's device to ppp->dev before transmission, satisfying the flow dissector's requirements [1][2]. Users should apply the latest stable kernel updates to remediate this vulnerability.