CVE-2022-49094

The memory size of tlsctx->rx.iv for AES128-CCM is 12 setting in tlssetswoffload(). The return value of cryptoaeadivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following:

================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911

Call Trace: <TASK> dumpstacklvl+0x34/0x44 printreport.cold+0x5e/0x5db ? decryptinternal+0x385/0xc40 [tls] kasanreport+0xab/0x120 ? decryptinternal+0x385/0xc40 [tls] kasancheckrange+0xf9/0x1e0 memcpy+0x20/0x60 decryptinternal+0x385/0xc40 [tls] ? tlsgetrec+0x2e0/0x2e0 [tls] ? processrxlist+0x1a5/0x420 [tls] ? tlssetupfromiter.constprop.0+0x2e0/0x2e0 [tls] decryptskbupdate+0x9d/0x400 [tls] tlsswrecvmsg+0x3c8/0xb50 [tls]

Allocated by task 10911: kasansavestack+0x1e/0x40 __kasankmalloc+0x81/0xa0 tlsset_swoffload+0x2eb/0xa20 [tls] tlssetsockopt+0x68c/0x700 [tls] _syssetsockopt+0xfe/0x1b0

Replace the cryptoaeadivsize() with prot->ivsize + prot->saltsize when memcpy() iv value in TLS13_VERSION scenario.

Database specific

{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49094.json"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

f295b3ae9f5927e084bd5decdff82390e3471801

Fixed

2b7d14c105dd8f6412eda5a91e1e6154653731e3

Fixed

589154d0f18945f41d138a5b4e49e518d294474b

Fixed

6e2f1b033b17dedda51d465861b69e58317d6343

Fixed

29be1816cbab9a0dc6243120939fd10a92753756

Fixed

2304660ab6c425df64d95301b601424c6a50f28b

Fixed

9381fe8c849cfbe50245ac01fc077554f6eaa0e2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49094.json"