CVE-2022-48744

In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields.

Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler.

We were doing:

#define ETH_HLEN  14
#define VLAN_HLEN  4
...
#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)
...
    struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);
...
    struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;
    struct mlx5_wqe_data_seg *dseg = wqe->data;
...
memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);

target is wqe->eth.inlinehdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlantci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr (8 bytes).

struct mlx5etxwqe { struct mlx5wqectrlseg ctrl; /* 0 16 */ struct mlx5wqeethseg eth; /* 16 16 / struct mlx5_wqe_data_seg data[]; / 32 0 */

    /* size: 32, cachelines: 1, members: 3 */
    /* last cacheline: 32 bytes */

};

struct mlx5wqeethseg { u8 swpouterl4offset; /* 0 1 / u8 swp_outer_l3_offset; / 1 1 / u8 swp_inner_l4_offset; / 2 1 / u8 swp_inner_l3_offset; / 3 1 / u8 cs_flags; / 4 1 / u8 swp_flags; / 5 1 / __be16 mss; / 6 2 / __be32 flow_table_metadata; / 8 4 / union { struct { __be16 sz; / 12 2 / u8 start[2]; / 14 2 / } inline_hdr; / 12 4 / struct { __be16 type; / 12 2 / __be16 vlan_tci; / 14 2 / } insert; / 12 4 / __be32 trailer; / 12 4 / }; / 12 4 */

    /* size: 16, cachelines: 1, members: 9 */
    /* last cacheline: 16 bytes */

};

struct mlx5wqedataseg { _be32 bytecount; /* 0 4 */ _be32 lkey; /* 4 4 / __be64 addr; / 8 8 */

    /* size: 16, cachelines: 1, members: 3 */
    /* last cacheline: 16 bytes */

};

So, split the memcpy() so the compiler can reason about the buffer sizes.

"pahole" shows no size nor member offset changes to struct mlx5etxwqe nor struct mlx5eumrwqe. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations).

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b5503b994ed5ed8dbfe821317e7b5b38acb065c5

Fixed

8fbdf8c8b8ab82beab882175157650452c46493e

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

b5503b994ed5ed8dbfe821317e7b5b38acb065c5

Fixed

ad5185735f7dab342fdd0dd41044da4c9ccfef67

Affected versions

v4.*

v4.10

v4.10-rc1

v4.10-rc2

v4.10-rc3

v4.10-rc4

v4.10-rc5

v4.10-rc6

v4.10-rc7

v4.10-rc8

v4.11

v4.11-rc1

v4.11-rc2

v4.11-rc3

v4.11-rc4

v4.11-rc5

v4.11-rc6

v4.11-rc7

v4.11-rc8

v4.12

v4.12-rc1

v4.12-rc2

v4.12-rc3

v4.12-rc4

v4.12-rc5

v4.12-rc6

v4.12-rc7

v4.13

v4.13-rc1

v4.13-rc2

v4.13-rc3

v4.13-rc4

v4.13-rc5

v4.13-rc6

v4.13-rc7

v4.14

v4.14-rc1

v4.14-rc2

v4.14-rc3

v4.14-rc4

v4.14-rc5

v4.14-rc6

v4.14-rc7

v4.14-rc8

v4.15

v4.15-rc1

v4.15-rc2

v4.15-rc3

v4.15-rc4

v4.15-rc5

v4.15-rc6

v4.15-rc7

v4.15-rc8

v4.15-rc9

v4.16

v4.16-rc1

v4.16-rc2

v4.16-rc3

v4.16-rc4

v4.16-rc5

v4.16-rc6

v4.16-rc7

v4.17

v4.17-rc1

v4.17-rc2

v4.17-rc3

v4.17-rc4

v4.17-rc5

v4.17-rc6

v4.17-rc7

v4.18

v4.18-rc1

v4.18-rc2

v4.18-rc3

v4.18-rc4

v4.18-rc5

v4.18-rc6

v4.18-rc7

v4.18-rc8

v4.19

v4.19-rc1

v4.19-rc2

v4.19-rc3

v4.19-rc4

v4.19-rc5

v4.19-rc6

v4.19-rc7

v4.19-rc8

v4.20

v4.20-rc1

v4.20-rc2

v4.20-rc3

v4.20-rc4

v4.20-rc5

v4.20-rc6

v4.20-rc7

v4.8

v4.8-rc7

v4.8-rc8

v4.9

v4.9-rc1

v4.9-rc2

v4.9-rc3

v4.9-rc4

v4.9-rc5

v4.9-rc6

v4.9-rc7

v4.9-rc8

v5.*

v5.0

v5.0-rc1

v5.0-rc2

v5.0-rc3

v5.0-rc4

v5.0-rc5

v5.0-rc6

v5.0-rc7

v5.0-rc8

v5.1

v5.1-rc1

v5.1-rc2

v5.1-rc3

v5.1-rc4

v5.1-rc5

v5.1-rc6

v5.1-rc7

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.16.1

v5.16.2

v5.16.3

v5.16.4

v5.16.5

v5.17-rc1

v5.2

v5.2-rc1

v5.2-rc2

v5.2-rc3

v5.2-rc4

v5.2-rc5

v5.2-rc6

v5.2-rc7

v5.3

v5.3-rc1

v5.3-rc2

v5.3-rc3

v5.3-rc4

v5.3-rc5

v5.3-rc6

v5.3-rc7

v5.3-rc8

v5.4

v5.4-rc1

v5.4-rc2

v5.4-rc3

v5.4-rc4

v5.4-rc5

v5.4-rc6

v5.4-rc7

v5.4-rc8

v5.5

v5.5-rc1

v5.5-rc2

v5.5-rc3

v5.5-rc4

v5.5-rc5

v5.5-rc6

v5.5-rc7

v5.6

v5.6-rc1

v5.6-rc2

v5.6-rc3

v5.6-rc4

v5.6-rc5

v5.6-rc6

v5.6-rc7

v5.7

v5.7-rc1

v5.7-rc2

v5.7-rc3

v5.7-rc4

v5.7-rc5

v5.7-rc6

v5.7-rc7

v5.8

v5.8-rc1

v5.8-rc2

v5.8-rc3

v5.8-rc4

v5.8-rc5

v5.8-rc6

v5.8-rc7

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Database specific

vanir_signatures

[
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8fbdf8c8b8ab82beab882175157650452c46493e",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "function": "mlx5e_xmit_xdp_frame",
            "file": "drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c"
        },
        "id": "CVE-2022-48744-09700339",
        "digest": {
            "length": 1156.0,
            "function_hash": "248266317017303390213245068479859595721"
        },
        "signature_type": "Function"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8fbdf8c8b8ab82beab882175157650452c46493e",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlx5/core/en.h"
        },
        "id": "CVE-2022-48744-1d8193b4",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "30019142934709821118405460992787273082",
                "99738867092698768783048024117889606813",
                "154581671205207260993174704272824837031",
                "90603880427295173315380623445293488504",
                "102034530286950751555334721322431122284",
                "96739234934152961920157900553786704621",
                "29452159303817741942874055022143685856",
                "231321844717600949041712950556379881257",
                "137868313266066090443705617328938932186"
            ]
        },
        "signature_type": "Line"
    },
    {
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8fbdf8c8b8ab82beab882175157650452c46493e",
        "signature_version": "v1",
        "deprecated": false,
        "target": {
            "file": "drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c"
        },
        "id": "CVE-2022-48744-365e7720",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "266840291559207468719776952155897063141",
                "226178845071554161931602532384262769270",
                "301938485161829352391108763175188080567",
                "253866170139882458066053602703639324292",
                "2377936131564965455172018623192956516"
            ]
        },
        "signature_type": "Line"
    }
]

CVE-2022-48744

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Affected versions

v4.*

v5.*

Database specific

vanir_signatures

Linux / Kernel

Package

Affected ranges