CVE-2022-48651

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48651
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48651.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48651
Related
Published
2024-04-28T13:15:07Z
Modified
2024-09-18T03:22:31.559732Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

If an AFPACKET socket is used to send packets through ipvlan and the default xmit function of the AFPACKET socket is changed from devqueuexmit() to packetdirectxmit() via setsockopt() with the option name of PACKETQDISCBYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:

================================================================= UG: KASAN: slab-out-of-bounds in ipvlanxmitmodel2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: rawsend Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: printaddressdescription.constprop.0+0x1d/0x160 printreport.cold+0x4f/0x112 kasanreport+0xa3/0x130 ipvlanxmitmodel2+0xdb/0x330 [ipvlan] ipvlanstartxmit+0x29/0xa0 [ipvlan] _devdirectxmit+0x2e2/0x380 packetdirectxmit+0x22/0x60 packetsnd+0x7c9/0xc40 socksendmsg+0x9a/0xa0 _syssendto+0x18a/0x230 _x64syssendto+0x74/0x90 dosyscall64+0x3b/0x90 entrySYSCALL64after_hwframe+0x63/0xcd

The root cause is: 1. packetsnd() only reset skb->macheader when sock->type is SOCKRAW and skb->protocol is not specified as in packetparse_headers()

  1. packetdirectxmit() doesn't reset skb->macheader as devqueue_xmit()

In this case, skb->macheader is 65535 when ipvlanxmitmodel2() is called. So when ipvlanxmitmodel2() gets mac header with ethhdr() which use "skb->head + skb->mac_header", out-of-bound access occurs.

This patch replaces ethhdr() with skbethhdr() in ipvlanxmitmodel2() and reset mac header in multicast to solve this out-of-bound bug.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.148-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1
5.10.113-1
5.10.120-1~bpo10+1
5.10.120-1
5.10.127-1
5.10.127-2~bpo10+1
5.10.127-2
5.10.136-1
5.10.140-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}