cve/published/2022/CVE-2022-49197.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49197: af_netlink: Fix shift out of bounds in group mask calculation

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 af_netlink: Fix shift out of bounds in group mask calculation

 When a netlink message is received, netlink_recvmsg() fills in the address
 of the sender. One of the fields is the 32-bit bitfield nl_groups, which
 carries the multicast group on which the message was received. The least
 significant bit corresponds to group 1, and therefore the highest group
 that the field can represent is 32. Above that, the UB sanitizer flags the
 out-of-bounds shift attempts.

 Which bits end up being set in such case is implementation defined, but
 it's either going to be a wrong non-zero value, or zero, which is at least
 not misleading. Make the latter choice deterministic by always setting to 0
 for higher-numbered multicast groups.

 To get information about membership in groups >= 32, userspace is expected
 to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO
 socket option.
 [0] https://lwn.net/Articles/147608/

 The way to trigger this issue is e.g. through monitoring the BRVLAN group:

 	# bridge monitor vlan &
 	# ip link add name br type bridge

 Which produces the following citation:

 	UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19
 	shift exponent 32 is too large for 32-bit type 'int'

 The Linux kernel CVE team has assigned CVE-2022-49197 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 4.9.311 with commit e1c5d46f05aa23d740daae5cd3a6472145afac42
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 4.14.276 with commit ac5883a8890a11c00b32a19949a25d4afeaa2f5a
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 4.19.238 with commit f75f4abeec4c04b600a15b50c89a481f1e7435ee
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.4.189 with commit 41249fff507387c3323b198d0052faed08b14de4
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.10.110 with commit b0898362188e05b2202656058cc32d98fabf3bac
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.15.33 with commit 7409ff6393a67ff9838d0ae1bd102fb5f020d07a
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.16.19 with commit e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.17.2 with commit e23e1e981247feb3c7d0236fe58aceb685f234ae
 	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.18 with commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49197
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netlink/af_netlink.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42
 	https://git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5a
 	https://git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435ee
 	https://git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4
 	https://git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bac
 	https://git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07a
 	https://git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a
 	https://git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234ae
 	https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49197: af_netlink: Fix shift out of bounds in group mask calculation

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	af_netlink: Fix shift out of bounds in group mask calculation

	When a netlink message is received, netlink_recvmsg() fills in the address
	of the sender. One of the fields is the 32-bit bitfield nl_groups, which
	carries the multicast group on which the message was received. The least
	significant bit corresponds to group 1, and therefore the highest group
	that the field can represent is 32. Above that, the UB sanitizer flags the
	out-of-bounds shift attempts.

	Which bits end up being set in such case is implementation defined, but
	it's either going to be a wrong non-zero value, or zero, which is at least
	not misleading. Make the latter choice deterministic by always setting to 0
	for higher-numbered multicast groups.

	To get information about membership in groups >= 32, userspace is expected
	to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO
	socket option.
	[0] https://lwn.net/Articles/147608/

	The way to trigger this issue is e.g. through monitoring the BRVLAN group:

	# bridge monitor vlan &
	# ip link add name br type bridge

	Which produces the following citation:

	UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19
	shift exponent 32 is too large for 32-bit type 'int'

	The Linux kernel CVE team has assigned CVE-2022-49197 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 4.9.311 with commit e1c5d46f05aa23d740daae5cd3a6472145afac42
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 4.14.276 with commit ac5883a8890a11c00b32a19949a25d4afeaa2f5a
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 4.19.238 with commit f75f4abeec4c04b600a15b50c89a481f1e7435ee
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.4.189 with commit 41249fff507387c3323b198d0052faed08b14de4
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.10.110 with commit b0898362188e05b2202656058cc32d98fabf3bac
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.15.33 with commit 7409ff6393a67ff9838d0ae1bd102fb5f020d07a
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.16.19 with commit e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.17.2 with commit e23e1e981247feb3c7d0236fe58aceb685f234ae
	Issue introduced in 2.6.14 with commit f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 and fixed in 5.18 with commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49197
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netlink/af_netlink.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42
	https://git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5a
	https://git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435ee
	https://git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4
	https://git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bac
	https://git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07a
	https://git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a
	https://git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234ae
	https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9f