CVE-2022-49697: 
Linux Kernel vulnerability analysis and mitigation

CVE-2022-49697 addresses a request_socket leak vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) socket lookup helpers. The issue was discovered in a Calico cloud environment where a BPF program performing socket lookup operations would take a reference count on the socket but fail to properly decrement the child request socket before returning the parent LISTEN socket via sk_to_full_sk(), resulting in a request_sock slab object leak (Kernel Git).

The vulnerability occurs in the socket lookup process where the BPF program takes a reference count (refcnt) on the socket. When finding a request_socket, it returns the parent LISTEN socket through sk_to_full_sk() without first decrementing the child request socket's reference count. The fix involves modifying the behavior to retain returning full socks to the caller while ensuring proper decrementing of the child request_socket when present. The patch also includes validation of RCU flags on the listen socket to balance with bpf_sk_release() (Red Hat). The CVSS v3.1 base score for this vulnerability is 5.5, indicating moderate severity (Red Hat).

The vulnerability results in a memory leak of request_sock slab objects in the Linux kernel. This can lead to resource exhaustion over time as socket resources are not properly freed, potentially affecting system stability and performance in cloud environments using Calico (Kernel Git).

The fix has been implemented in the Linux kernel through a patch that properly decrements the child request_socket reference count before returning the parent LISTEN socket. The patch also includes additional safety checks for RCU flags on the listen socket. System administrators should update to a patched version of the Linux kernel to prevent the memory leak (Kernel Git).