CVE-2022-49094

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2022-49094

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-49094.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2022-49094

Related

UBUNTU-CVE-2022-49094

Published

2025-02-26T07:00:46Z

Modified

2025-02-26T19:00:59.079386Z

Summary

[none]

Details

In the Linux kernel, the following vulnerability has been resolved:

net/tls: fix slab-out-of-bounds bug in decrypt_internal

The memory size of tlsctx->rx.iv for AES128-CCM is 12 setting in tlssetswoffload(). The return value of cryptoaeadivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following:

================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911

Call Trace: <TASK> dumpstacklvl+0x34/0x44 printreport.cold+0x5e/0x5db ? decryptinternal+0x385/0xc40 [tls] kasanreport+0xab/0x120 ? decryptinternal+0x385/0xc40 [tls] kasancheckrange+0xf9/0x1e0 memcpy+0x20/0x60 decryptinternal+0x385/0xc40 [tls] ? tlsgetrec+0x2e0/0x2e0 [tls] ? processrxlist+0x1a5/0x420 [tls] ? tlssetupfromiter.constprop.0+0x2e0/0x2e0 [tls] decryptskbupdate+0x9d/0x400 [tls] tlsswrecvmsg+0x3c8/0xb50 [tls]

Allocated by task 10911: kasansavestack+0x1e/0x40 _kasankmalloc+0x81/0xa0 tlssetswoffload+0x2eb/0xa20 [tls] tlssetsockopt+0x68c/0x700 [tls] _syssetsockopt+0xfe/0x1b0

Replace the cryptoaeadivsize() with prot->ivsize + prot->saltsize when memcpy() iv value in TLS13_VERSION scenario.

References

Affected packages

Debian:11 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.10.113-1

Affected versions

5.*

5.10.46-4

5.10.46-5

5.10.70-1~bpo10+1

5.10.70-1

5.10.84-1

5.10.92-1~bpo10+1

5.10.92-1

5.10.92-2

5.10.103-1~bpo10+1

5.10.103-1

5.10.106-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.17.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name: linux
Purl: pkg:deb/debian/linux?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.17.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}