cve/published/2022/CVE-2022-48651.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48651: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

 If an AF_PACKET socket is used to send packets through ipvlan and the
 default xmit function of the AF_PACKET socket is changed from
 dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option
 name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and
 remains as the initial value of 65535, this may trigger slab-out-of-bounds
 bugs as following:

 =================================================================
 UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
 PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6
 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33
 all Trace:
 print_address_description.constprop.0+0x1d/0x160
 print_report.cold+0x4f/0x112
 kasan_report+0xa3/0x130
 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
 ipvlan_start_xmit+0x29/0xa0 [ipvlan]
 __dev_direct_xmit+0x2e2/0x380
 packet_direct_xmit+0x22/0x60
 packet_snd+0x7c9/0xc40
 sock_sendmsg+0x9a/0xa0
 __sys_sendto+0x18a/0x230
 __x64_sys_sendto+0x74/0x90
 do_syscall_64+0x3b/0x90
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

 The root cause is:
   1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW
      and skb->protocol is not specified as in packet_parse_headers()

   2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()

 In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is
 called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which
 use "skb->head + skb->mac_header", out-of-bound access occurs.

 This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()
 and reset mac header in multicast to solve this out-of-bound bug.

 The Linux kernel CVE team has assigned CVE-2022-48651 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.9.330 with commit e2b46cd5796f083e452fbc624f65b80328b0c1a4
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.14.295 with commit 25efdbe5fe542c3063d1948cc4e98abcb57621ca
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.19.260 with commit bffcdade259c05ab3436b5fab711612093c275ef
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.4.215 with commit 346e94aa4a99378592c46d6a34c72703a32bd5be
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.10.146 with commit ab4a733874ead120691e8038272d22f8444d3638
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.15.71 with commit 8d06006c7eb75587d986da46c48ba9274f94e8e7
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.19.12 with commit b583e6b25bf9321c91154f6c78d2173ef12c4241
 	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.0 with commit 81225b2ea161af48e093f58e8dfee6d705b16af4

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48651
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/ipvlan/ipvlan_core.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4
 	https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca
 	https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef
 	https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be
 	https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638
 	https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7
 	https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241
 	https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48651: ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

	If an AF_PACKET socket is used to send packets through ipvlan and the
	default xmit function of the AF_PACKET socket is changed from
	dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option
	name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and
	remains as the initial value of 65535, this may trigger slab-out-of-bounds
	bugs as following:

	=================================================================
	UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
	PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6
	ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33
	all Trace:
	print_address_description.constprop.0+0x1d/0x160
	print_report.cold+0x4f/0x112
	kasan_report+0xa3/0x130
	ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]
	ipvlan_start_xmit+0x29/0xa0 [ipvlan]
	__dev_direct_xmit+0x2e2/0x380
	packet_direct_xmit+0x22/0x60
	packet_snd+0x7c9/0xc40
	sock_sendmsg+0x9a/0xa0
	__sys_sendto+0x18a/0x230
	__x64_sys_sendto+0x74/0x90
	do_syscall_64+0x3b/0x90
	entry_SYSCALL_64_after_hwframe+0x63/0xcd

	The root cause is:
	1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW
	and skb->protocol is not specified as in packet_parse_headers()

	2. packet_direct_xmit() doesn't reset skb->mac_header as dev_queue_xmit()

	In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is
	called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which
	use "skb->head + skb->mac_header", out-of-bound access occurs.

	This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()
	and reset mac header in multicast to solve this out-of-bound bug.

	The Linux kernel CVE team has assigned CVE-2022-48651 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.9.330 with commit e2b46cd5796f083e452fbc624f65b80328b0c1a4
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.14.295 with commit 25efdbe5fe542c3063d1948cc4e98abcb57621ca
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 4.19.260 with commit bffcdade259c05ab3436b5fab711612093c275ef
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.4.215 with commit 346e94aa4a99378592c46d6a34c72703a32bd5be
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.10.146 with commit ab4a733874ead120691e8038272d22f8444d3638
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.15.71 with commit 8d06006c7eb75587d986da46c48ba9274f94e8e7
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 5.19.12 with commit b583e6b25bf9321c91154f6c78d2173ef12c4241
	Issue introduced in 3.19 with commit 2ad7bf3638411cb547f2823df08166c13ab04269 and fixed in 6.0 with commit 81225b2ea161af48e093f58e8dfee6d705b16af4

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48651
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/ipvlan/ipvlan_core.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4
	https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca
	https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef
	https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be
	https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638
	https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7
	https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241
	https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4