All of lore.kernel.org
 help / color / mirror / Atom feed
* CVE-2022-48651: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
@ 2024-04-28 13:05 Greg Kroah-Hartman
  0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2024-04-28 13:05 UTC (permalink / raw)
  To: linux-cve-announce; +Cc: Greg Kroah-Hartman

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

If an AF_PACKET socket is used to send packets through ipvlan and the
default xmit function of the AF_PACKET socket is changed from
dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option
name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and
remains as the initial value of 65535, this may trigger slab-out-of-bounds
bugs as following:

=================================================================
UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6
ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33
all Trace:
print_address_description.constprop.0+0x1d/0x160
print_report.cold+0x4f/0x112
kasan_report+0xa3/0x130
ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
ipvlan_start_xmit+0x29/0xa0 [ipvlan]
__dev_direct_xmit+0x2e2/0x380
packet_direct_xmit+0x22/0x60
packet_snd+0x7c9/0xc40
sock_sendmsg+0x9a/0xa0
__sys_sendto+0x18a/0x230
__x64_sys_sendto+0x74/0x90
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause is:
  1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW
     and skb->protocol is not specified as in packet_parse_headers()

  2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()

In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is
called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which
use "skb->head + skb->mac_header", out-of-bound access occurs.

This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()
and reset mac header in multicast to solve this out-of-bound bug.

The Linux kernel CVE team has assigned CVE-2022-48651 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 4.9.330 with commit e2b46cd5796f
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 4.14.295 with commit 25efdbe5fe54
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 4.19.260 with commit bffcdade259c
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 5.4.215 with commit 346e94aa4a99
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 5.10.146 with commit ab4a733874ea
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 5.15.71 with commit 8d06006c7eb7
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 5.19.12 with commit b583e6b25bf9
	Issue introduced in 3.19 with commit 2ad7bf363841 and fixed in 6.0 with commit 81225b2ea161

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48651
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	drivers/net/ipvlan/ipvlan_core.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4
	https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca
	https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef
	https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be
	https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638
	https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7
	https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241
	https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2024-04-28 13:06 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-28 13:05 CVE-2022-48651: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header Greg Kroah-Hartman

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.