In the Linux kernel, the following vulnerability has been resolved:
ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
If an AFPACKET socket is used to send packets through ipvlan and the default xmit function of the AFPACKET socket is changed from devqueuexmit() to packetdirectxmit() via setsockopt() with the option name of PACKETQDISCBYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:
================================================================= UG: KASAN: slab-out-of-bounds in ipvlanxmitmodel2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: rawsend Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: printaddressdescription.constprop.0+0x1d/0x160 printreport.cold+0x4f/0x112 kasanreport+0xa3/0x130 ipvlanxmitmodel2+0xdb/0x330 [ipvlan] ipvlanstartxmit+0x29/0xa0 [ipvlan] _devdirectxmit+0x2e2/0x380 packetdirectxmit+0x22/0x60 packetsnd+0x7c9/0xc40 socksendmsg+0x9a/0xa0 _syssendto+0x18a/0x230 _x64syssendto+0x74/0x90 dosyscall64+0x3b/0x90 entrySYSCALL64after_hwframe+0x63/0xcd
The root cause is: 1. packetsnd() only reset skb->macheader when sock->type is SOCKRAW and skb->protocol is not specified as in packetparse_headers()
In this case, skb->macheader is 65535 when ipvlanxmitmodel2() is called. So when ipvlanxmitmodel2() gets mac header with ethhdr() which use "skb->head + skb->mac_header", out-of-bound access occurs.
This patch replaces ethhdr() with skbethhdr() in ipvlanxmitmodel2() and reset mac header in multicast to solve this out-of-bound bug.
{ "vanir_signatures": [ { "digest": { "line_hashes": [ "11652480968916431786895747635053801665", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffcdade259c05ab3436b5fab711612093c275ef", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-083e3204" }, { "digest": { "length": 710.0, "function_hash": "145447445492334539351444569703101833382" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2b46cd5796f083e452fbc624f65b80328b0c1a4", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-0d86eb48" }, { "digest": { "line_hashes": [ "128811733758438431979701963034592921838", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "58408316192185822775275619217471635637", "258505282619587611687079478098644948392" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2b46cd5796f083e452fbc624f65b80328b0c1a4", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-1172b563" }, { "digest": { "length": 841.0, "function_hash": "231407313604828372566520546770188776142" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b583e6b25bf9321c91154f6c78d2173ef12c4241", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-1521fe22" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b583e6b25bf9321c91154f6c78d2173ef12c4241", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-247fa50f" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8d06006c7eb75587d986da46c48ba9274f94e8e7", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-2a5dcbce" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25efdbe5fe542c3063d1948cc4e98abcb57621ca", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-2abe2b14" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffcdade259c05ab3436b5fab711612093c275ef", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-2f196b77" }, { "digest": { "length": 841.0, "function_hash": "231407313604828372566520546770188776142" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81225b2ea161af48e093f58e8dfee6d705b16af4", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-452bee92" }, { "digest": { "length": 841.0, "function_hash": "231407313604828372566520546770188776142" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bffcdade259c05ab3436b5fab711612093c275ef", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-45368bc4" }, { "digest": { "line_hashes": [ "128811733758438431979701963034592921838", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25efdbe5fe542c3063d1948cc4e98abcb57621ca", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-5e1f8224" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e2b46cd5796f083e452fbc624f65b80328b0c1a4", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-5e899fe9" }, { "digest": { "line_hashes": [ "11652480968916431786895747635053801665", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@346e94aa4a99378592c46d6a34c72703a32bd5be", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-81e4a1b4" }, { "digest": { "length": 841.0, "function_hash": "231407313604828372566520546770188776142" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@346e94aa4a99378592c46d6a34c72703a32bd5be", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-8edcc362" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81225b2ea161af48e093f58e8dfee6d705b16af4", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-98157a99" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab4a733874ead120691e8038272d22f8444d3638", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-b4108c5a" }, { "digest": { "length": 715.0, "function_hash": "100482216895844194772501058270113777629" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@346e94aa4a99378592c46d6a34c72703a32bd5be", "signature_type": "Function", "target": { "function": "ipvlan_process_outbound", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-b4dc85ae" }, { "digest": { "length": 717.0, "function_hash": "184390733933639882701799993895003879526" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@25efdbe5fe542c3063d1948cc4e98abcb57621ca", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-c20ff1e7" }, { "digest": { "length": 841.0, "function_hash": "231407313604828372566520546770188776142" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab4a733874ead120691e8038272d22f8444d3638", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-c4490a61" }, { "digest": { "line_hashes": [ "11652480968916431786895747635053801665", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@ab4a733874ead120691e8038272d22f8444d3638", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-c6c0647e" }, { "digest": { "line_hashes": [ "11652480968916431786895747635053801665", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81225b2ea161af48e093f58e8dfee6d705b16af4", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-c7eacf1a" }, { "digest": { "line_hashes": [ "11652480968916431786895747635053801665", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@b583e6b25bf9321c91154f6c78d2173ef12c4241", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-ce72f27a" }, { "digest": { "line_hashes": [ "11652480968916431786895747635053801665", "50466261255387044780009268479679710725", "226103323198094659623999969066095072092", "212785135364162566975998703121450778596", "54410024111568425778291588258476275591", "18123148477197483061819426820563483939", "116694234117163007069490333018478505696", "27262707858756166878786852414346028608", "3095735256405634615189979491092976714", "121046948132581049998490036550575736561", "156570653020687395480474730824978226878", "113907840524312368416041928345514131708", "22581365618468784856741542363308379234", "292389022737618166862834703801540531673" ], "threshold": 0.9 }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8d06006c7eb75587d986da46c48ba9274f94e8e7", "signature_type": "Line", "target": { "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-fdf47364" }, { "digest": { "length": 841.0, "function_hash": "231407313604828372566520546770188776142" }, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8d06006c7eb75587d986da46c48ba9274f94e8e7", "signature_type": "Function", "target": { "function": "ipvlan_xmit_mode_l2", "file": "drivers/net/ipvlan/ipvlan_core.c" }, "deprecated": false, "signature_version": "v1", "id": "CVE-2022-48651-fe659254" } ] }