cve/published/2022/CVE-2022-48687.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48687: ipv6: sr: fix out-of-bounds read when setting HMAC data.

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ipv6: sr: fix out-of-bounds read when setting HMAC data.

 The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
 Segment Routing Headers. This configuration is realised via netlink through
 four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
 SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
 length of the SECRET attribute, it is possible to provide invalid combinations
 (e.g., secret = "", secretlen = 64). This case is not checked in the code and
 with an appropriately crafted netlink message, an out-of-bounds read of up
 to 64 bytes (max secret length) can occur past the skb end pointer and into
 skb_shared_info:

 Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
 208		memcpy(hinfo->secret, secret, slen);
 (gdb) bt
  #0  seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
  #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
     extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,
     family=<optimized out>) at net/netlink/genetlink.c:731
  #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,
     family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775
  #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792
  #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>)
     at net/netlink/af_netlink.c:2501
  #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803
  #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)
     at net/netlink/af_netlink.c:1319
  #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>)
     at net/netlink/af_netlink.c:1345
  #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921
 ...
 (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
 $1 = 0xffff88800b1b76c0
 (gdb) p/x secret
 $2 = 0xffff88800b1b76c0
 (gdb) p slen
 $3 = 64 '@'

 The OOB data can then be read back from userspace by dumping HMAC state. This
 commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
 SECRET.

 The Linux kernel CVE team has assigned CVE-2022-48687 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 4.14.293 with commit dc9dbd65c803af1607484fed5da50d41dc8dd864
 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 4.19.258 with commit f684c16971ed5e77dfa25a9ad25b5297e1f58eab
 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.4.213 with commit 3df71e11a4773d775c3633c44319f7acdb89011c
 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.10.143 with commit 076f2479fc5a15c4a970ca3b5e57d42ba09a31fa
 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.15.68 with commit 55195563ec29f80f984237b743de0e2b6ba4d093
 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.19.9 with commit 56ad3f475482bca55b0ae544031333018eb145b3
 	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 6.0 with commit 84a53580c5d2138c7361c7c3eea5b31827e63b35

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48687
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/seg6.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864
 	https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab
 	https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c
 	https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa
 	https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093
 	https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3
 	https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48687: ipv6: sr: fix out-of-bounds read when setting HMAC data.

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ipv6: sr: fix out-of-bounds read when setting HMAC data.

	The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
	Segment Routing Headers. This configuration is realised via netlink through
	four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
	SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
	length of the SECRET attribute, it is possible to provide invalid combinations
	(e.g., secret = "", secretlen = 64). This case is not checked in the code and
	with an appropriately crafted netlink message, an out-of-bounds read of up
	to 64 bytes (max secret length) can occur past the skb end pointer and into
	skb_shared_info:

	Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
	208 memcpy(hinfo->secret, secret, slen);
	(gdb) bt
	#0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
	#1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
	extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,
	family=<optimized out>) at net/netlink/genetlink.c:731
	#2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,
	family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775
	#3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792
	#4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>)
	at net/netlink/af_netlink.c:2501
	#5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803
	#6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)
	at net/netlink/af_netlink.c:1319
	#7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>)
	at net/netlink/af_netlink.c:1345
	#8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921
	...
	(gdb) p/x ((struct sk_buff )0xffff88800b1f9f00)->head + ((struct sk_buff )0xffff88800b1f9f00)->end
	$1 = 0xffff88800b1b76c0
	(gdb) p/x secret
	$2 = 0xffff88800b1b76c0
	(gdb) p slen
	$3 = 64 '@'

	The OOB data can then be read back from userspace by dumping HMAC state. This
	commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
	SECRET.

	The Linux kernel CVE team has assigned CVE-2022-48687 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 4.14.293 with commit dc9dbd65c803af1607484fed5da50d41dc8dd864
	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 4.19.258 with commit f684c16971ed5e77dfa25a9ad25b5297e1f58eab
	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.4.213 with commit 3df71e11a4773d775c3633c44319f7acdb89011c
	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.10.143 with commit 076f2479fc5a15c4a970ca3b5e57d42ba09a31fa
	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.15.68 with commit 55195563ec29f80f984237b743de0e2b6ba4d093
	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 5.19.9 with commit 56ad3f475482bca55b0ae544031333018eb145b3
	Issue introduced in 4.10 with commit 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 and fixed in 6.0 with commit 84a53580c5d2138c7361c7c3eea5b31827e63b35

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48687
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/seg6.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864
	https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab
	https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c
	https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa
	https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093
	https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3
	https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35