cve/published/2022/CVE-2022-48711.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48711: tipc: improve size validations for received domain records

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tipc: improve size validations for received domain records

 The function tipc_mon_rcv() allows a node to receive and process
 domain_record structs from peer nodes to track their views of the
 network topology.

 This patch verifies that the number of members in a received domain
 record does not exceed the limit defined by MAX_MON_DOMAIN, something
 that may otherwise lead to a stack overflow.

 tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
 we are reading a 32 bit message data length field into a uint16.  To
 avert any risk of bit overflow, we add an extra sanity check for this in
 that function.  We cannot see that happen with the current code, but
 future designers being unaware of this risk, may introduce it by
 allowing delivery of very large (> 64k) sk buffers from the bearer
 layer.  This potential problem was identified by Eric Dumazet.

 This fixes CVE-2022-0435

 The Linux kernel CVE team has assigned CVE-2022-48711 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 4.9.301 with commit 175db196e45d6f0e6047eccd09c8ba55465eb131
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 4.14.266 with commit fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 4.19.229 with commit f1af11edd08dd8376f7a84487cbb0ea8203e3a1d
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.4.179 with commit d692e3406e052dbf9f6d9da0cba36cb763272529
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.10.100 with commit 3c7e5943553594f68bbc070683db6bb6f6e9e78e
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.15.23 with commit 1f1788616157b0222b0c2153828b475d95e374a7
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.16.9 with commit 59ff7514f8c56f166aadca49bcecfa028e0ad50f
 	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.17 with commit 9aa422ad326634b76309e8ff342c246800621216

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48711
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/tipc/link.c
 	net/tipc/monitor.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/175db196e45d6f0e6047eccd09c8ba55465eb131
 	https://git.kernel.org/stable/c/fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d
 	https://git.kernel.org/stable/c/f1af11edd08dd8376f7a84487cbb0ea8203e3a1d
 	https://git.kernel.org/stable/c/d692e3406e052dbf9f6d9da0cba36cb763272529
 	https://git.kernel.org/stable/c/3c7e5943553594f68bbc070683db6bb6f6e9e78e
 	https://git.kernel.org/stable/c/1f1788616157b0222b0c2153828b475d95e374a7
 	https://git.kernel.org/stable/c/59ff7514f8c56f166aadca49bcecfa028e0ad50f
 	https://git.kernel.org/stable/c/9aa422ad326634b76309e8ff342c246800621216
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48711: tipc: improve size validations for received domain records

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tipc: improve size validations for received domain records

	The function tipc_mon_rcv() allows a node to receive and process
	domain_record structs from peer nodes to track their views of the
	network topology.

	This patch verifies that the number of members in a received domain
	record does not exceed the limit defined by MAX_MON_DOMAIN, something
	that may otherwise lead to a stack overflow.

	tipc_mon_rcv() is called from the function tipc_link_proto_rcv(), where
	we are reading a 32 bit message data length field into a uint16. To
	avert any risk of bit overflow, we add an extra sanity check for this in
	that function. We cannot see that happen with the current code, but
	future designers being unaware of this risk, may introduce it by
	allowing delivery of very large (> 64k) sk buffers from the bearer
	layer. This potential problem was identified by Eric Dumazet.

	This fixes CVE-2022-0435

	The Linux kernel CVE team has assigned CVE-2022-48711 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 4.9.301 with commit 175db196e45d6f0e6047eccd09c8ba55465eb131
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 4.14.266 with commit fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 4.19.229 with commit f1af11edd08dd8376f7a84487cbb0ea8203e3a1d
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.4.179 with commit d692e3406e052dbf9f6d9da0cba36cb763272529
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.10.100 with commit 3c7e5943553594f68bbc070683db6bb6f6e9e78e
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.15.23 with commit 1f1788616157b0222b0c2153828b475d95e374a7
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.16.9 with commit 59ff7514f8c56f166aadca49bcecfa028e0ad50f
	Issue introduced in 4.8 with commit 35c55c9877f8de0ab129fa1a309271d0ecc868b9 and fixed in 5.17 with commit 9aa422ad326634b76309e8ff342c246800621216

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48711
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/tipc/link.c
	net/tipc/monitor.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/175db196e45d6f0e6047eccd09c8ba55465eb131
	https://git.kernel.org/stable/c/fde4ddeadd099bf9fbb9ccbee8e1b5c20d530a2d
	https://git.kernel.org/stable/c/f1af11edd08dd8376f7a84487cbb0ea8203e3a1d
	https://git.kernel.org/stable/c/d692e3406e052dbf9f6d9da0cba36cb763272529
	https://git.kernel.org/stable/c/3c7e5943553594f68bbc070683db6bb6f6e9e78e
	https://git.kernel.org/stable/c/1f1788616157b0222b0c2153828b475d95e374a7
	https://git.kernel.org/stable/c/59ff7514f8c56f166aadca49bcecfa028e0ad50f
	https://git.kernel.org/stable/c/9aa422ad326634b76309e8ff342c246800621216