CVE-2022-49663

Recently added debug in commit f9aefd6b2aa3 ("net: warn if mac header was not set") caught a bug in skbtunnelcheck_pmtu(), as shown in this syzbot report [1].

In ndostartxmit() paths, there is really no need to use skb->mac_header, because skb->data is supposed to point at it.

[1] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skbmacheaderlen include/linux/skbuff.h:2784 [inline] WARNING: CPU: 1 PID: 8604 at include/linux/skbuff.h:2784 skbtunnelcheckpmtu+0x5de/0x2f90 net/ipv4/iptunnelcore.c:413 Modules linked in: CPU: 1 PID: 8604 Comm: syz-executor.3 Not tainted 5.19.0-rc2-syzkaller-00443-g8720bd951b8e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skbmacheaderlen include/linux/skbuff.h:2784 [inline] RIP: 0010:skbtunnelcheckpmtu+0x5de/0x2f90 net/ipv4/iptunnelcore.c:413 Code: 00 00 00 00 fc ff df 4c 89 fa 48 c1 ea 03 80 3c 02 00 0f 84 b9 fe ff ff 4c 89 ff e8 7c 0f d7 f9 e9 ac fe ff ff e8 c2 13 8a f9 <0f> 0b e9 28 fc ff ff e8 b6 13 8a f9 48 8b 54 24 70 48 b8 00 00 00 RSP: 0018:ffffc90002e4f520 EFLAGS: 00010212 RAX: 0000000000000324 RBX: ffff88804d5fd500 RCX: ffffc90005b52000 RDX: 0000000000040000 RSI: ffffffff87f05e3e RDI: 0000000000000003 RBP: ffffc90002e4f650 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: 000000000000ffff R13: 0000000000000000 R14: 000000000000ffcd R15: 000000000000001f FS: 00007f3babba9700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 0000000075319000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> genevexmitskb drivers/net/geneve.c:927 [inline] genevexmit+0xcf8/0x35d0 drivers/net/geneve.c:1107 netdevstartxmit include/linux/netdevice.h:4805 [inline] netdevstartxmit include/linux/netdevice.h:4819 [inline] _devdirectxmit+0x500/0x730 net/core/dev.c:4309 devdirectxmit include/linux/netdevice.h:3007 [inline] packetdirectxmit+0x1b8/0x2c0 net/packet/afpacket.c:282 packetsnd net/packet/afpacket.c:3073 [inline] packetsendmsg+0x21f4/0x55d0 net/packet/afpacket.c:3104 socksendmsgnosec net/socket.c:714 [inline] socksendmsg+0xcf/0x120 net/socket.c:734 syssendmsg+0x6eb/0x810 net/socket.c:2489 _syssendmsg+0xf3/0x170 net/socket.c:2543 _syssendmsg net/socket.c:2572 [inline] _dosyssendmsg net/socket.c:2581 [inline] _sesyssendmsg net/socket.c:2579 [inline] _x64syssendmsg+0x132/0x220 net/socket.c:2579 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x35/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x46/0xb0 RIP: 0033:0x7f3baaa89109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3babba9168 EFLAGS: 00000246 ORIGRAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3baab9bf60 RCX: 00007f3baaa89109 RDX: 0000000000000000 RSI: 0000000020000a00 RDI: 0000000000000003 RBP: 00007f3baaae305d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe74f2543f R14: 00007f3babba9300 R15: 0000000000022000 </TASK>

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4cb47a8644cc9eb8ec81190a50e79e6530d0297f

Fixed

59c51c3b545128a92ebfb6dbae990d3abee110e7

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4cb47a8644cc9eb8ec81190a50e79e6530d0297f

Fixed

674a641e5b67e16ba3112eacd680ff87b38539de

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4cb47a8644cc9eb8ec81190a50e79e6530d0297f

Fixed

32dcf62efa0003f92a976aea0c57f118e689de8b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

4cb47a8644cc9eb8ec81190a50e79e6530d0297f

Fixed

853a7614880231747040cada91d2b8d2e995c51a

Affected versions

v5.*

v5.10

v5.10-rc1

v5.10-rc2

v5.10-rc3

v5.10-rc4

v5.10-rc5

v5.10-rc6

v5.10-rc7

v5.10.1

v5.10.10

v5.10.100

v5.10.101

v5.10.102

v5.10.103

v5.10.104

v5.10.105

v5.10.106

v5.10.107

v5.10.108

v5.10.109

v5.10.11

v5.10.110

v5.10.111

v5.10.112

v5.10.113

v5.10.114

v5.10.115

v5.10.116

v5.10.117

v5.10.118

v5.10.119

v5.10.12

v5.10.120

v5.10.121

v5.10.122

v5.10.123

v5.10.124

v5.10.125

v5.10.126

v5.10.127

v5.10.128

v5.10.13

v5.10.14

v5.10.15

v5.10.16

v5.10.17

v5.10.18

v5.10.19

v5.10.2

v5.10.20

v5.10.21

v5.10.22

v5.10.23

v5.10.24

v5.10.25

v5.10.26

v5.10.27

v5.10.28

v5.10.29

v5.10.3

v5.10.30

v5.10.31

v5.10.32

v5.10.33

v5.10.34

v5.10.35

v5.10.36

v5.10.37

v5.10.38

v5.10.39

v5.10.4

v5.10.40

v5.10.41

v5.10.42

v5.10.43

v5.10.44

v5.10.45

v5.10.46

v5.10.47

v5.10.48

v5.10.49

v5.10.5

v5.10.50

v5.10.51

v5.10.52

v5.10.53

v5.10.54

v5.10.55

v5.10.56

v5.10.57

v5.10.58

v5.10.59

v5.10.6

v5.10.60

v5.10.61

v5.10.62

v5.10.63

v5.10.64

v5.10.65

v5.10.66

v5.10.67

v5.10.68

v5.10.69

v5.10.7

v5.10.70

v5.10.71

v5.10.72

v5.10.73

v5.10.74

v5.10.75

v5.10.76

v5.10.77

v5.10.78

v5.10.79

v5.10.8

v5.10.80

v5.10.81

v5.10.82

v5.10.83

v5.10.84

v5.10.85

v5.10.86

v5.10.87

v5.10.88

v5.10.89

v5.10.9

v5.10.90

v5.10.91

v5.10.92

v5.10.93

v5.10.94

v5.10.95

v5.10.96

v5.10.97

v5.10.98

v5.10.99

v5.11

v5.11-rc1

v5.11-rc2

v5.11-rc3

v5.11-rc4

v5.11-rc5

v5.11-rc6

v5.11-rc7

v5.12

v5.12-rc1

v5.12-rc1-dontuse

v5.12-rc2

v5.12-rc3

v5.12-rc4

v5.12-rc5

v5.12-rc6

v5.12-rc7

v5.12-rc8

v5.13

v5.13-rc1

v5.13-rc2

v5.13-rc3

v5.13-rc4

v5.13-rc5

v5.13-rc6

v5.13-rc7

v5.14

v5.14-rc1

v5.14-rc2

v5.14-rc3

v5.14-rc4

v5.14-rc5

v5.14-rc6

v5.14-rc7

v5.15

v5.15-rc1

v5.15-rc2

v5.15-rc3

v5.15-rc4

v5.15-rc5

v5.15-rc6

v5.15-rc7

v5.15.1

v5.15.10

v5.15.11

v5.15.12

v5.15.13

v5.15.14

v5.15.15

v5.15.16

v5.15.17

v5.15.18

v5.15.19

v5.15.2

v5.15.20

v5.15.21

v5.15.22

v5.15.23

v5.15.24

v5.15.25

v5.15.26

v5.15.27

v5.15.28

v5.15.29

v5.15.3

v5.15.30

v5.15.31

v5.15.32

v5.15.33

v5.15.34

v5.15.35

v5.15.36

v5.15.37

v5.15.38

v5.15.39

v5.15.4

v5.15.40

v5.15.41

v5.15.42

v5.15.43

v5.15.44

v5.15.45

v5.15.46

v5.15.47

v5.15.48

v5.15.49

v5.15.5

v5.15.50

v5.15.51

v5.15.52

v5.15.6

v5.15.7

v5.15.8

v5.15.9

v5.16

v5.16-rc1

v5.16-rc2

v5.16-rc3

v5.16-rc4

v5.16-rc5

v5.16-rc6

v5.16-rc7

v5.16-rc8

v5.17

v5.17-rc1

v5.17-rc2

v5.17-rc3

v5.17-rc4

v5.17-rc5

v5.17-rc6

v5.17-rc7

v5.17-rc8

v5.18

v5.18-rc1

v5.18-rc2

v5.18-rc3

v5.18-rc4

v5.18-rc5

v5.18-rc6

v5.18-rc7

v5.18.1

v5.18.2

v5.18.3

v5.18.4

v5.18.5

v5.18.6

v5.18.7

v5.18.8

v5.18.9

v5.19-rc1

v5.19-rc2

v5.19-rc3

v5.8

v5.9

v5.9-rc1

v5.9-rc2

v5.9-rc3

v5.9-rc4

v5.9-rc5

v5.9-rc6

v5.9-rc7

v5.9-rc8

Database specific

vanir_signatures

[
    {
        "id": "CVE-2022-49663-10b67ada",
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "209157640364438109195482103468631985558",
                "245353435020492914168001371873171876074",
                "164501999569477834316438443913358493352",
                "201702078790911973575979024002794889751"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@32dcf62efa0003f92a976aea0c57f118e689de8b",
        "target": {
            "file": "net/ipv4/ip_tunnel_core.c"
        }
    },
    {
        "id": "CVE-2022-49663-1766726e",
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "209157640364438109195482103468631985558",
                "245353435020492914168001371873171876074",
                "164501999569477834316438443913358493352",
                "201702078790911973575979024002794889751"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@674a641e5b67e16ba3112eacd680ff87b38539de",
        "target": {
            "file": "net/ipv4/ip_tunnel_core.c"
        }
    },
    {
        "id": "CVE-2022-49663-b556f372",
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "209157640364438109195482103468631985558",
                "245353435020492914168001371873171876074",
                "164501999569477834316438443913358493352",
                "201702078790911973575979024002794889751"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@853a7614880231747040cada91d2b8d2e995c51a",
        "target": {
            "file": "net/ipv4/ip_tunnel_core.c"
        }
    },
    {
        "id": "CVE-2022-49663-ea5767fc",
        "signature_type": "Line",
        "signature_version": "v1",
        "digest": {
            "line_hashes": [
                "209157640364438109195482103468631985558",
                "245353435020492914168001371873171876074",
                "164501999569477834316438443913358493352",
                "201702078790911973575979024002794889751"
            ],
            "threshold": 0.9
        },
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@59c51c3b545128a92ebfb6dbae990d3abee110e7",
        "target": {
            "file": "net/ipv4/ip_tunnel_core.c"
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.9.0

Fixed

5.10.129

Type: ECOSYSTEM
Events: Introduced

5.11.0

Fixed

5.15.53

Type: ECOSYSTEM
Events: Introduced

5.16.0

Fixed

5.18.10