Google Git
Sign in
kernel / pub / scm / linux / security / vulns / refs/heads/sasha-vulnerable / . / cve / published / 2022 / CVE-2022-49330.json
blob: f729179519f34bc4ee2e4524d354150ddaeaa566 [file] [log] [blame]
{
"containers": {
"cna": {
"providerMetadata": {
"orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038"
},
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_mtup_probe_success vs wrong snd_cwnd\n\nsyzbot got a new report [1] finally pointing to a very old bug,\nadded in initial support for MTU probing.\n\ntcp_mtu_probe() has checks about starting an MTU probe if\ntcp_snd_cwnd(tp) >= 11.\n\nBut nothing prevents tcp_snd_cwnd(tp) to be reduced later\nand before the MTU probe succeeds.\n\nThis bug would lead to potential zero-divides.\n\nDebugging added in commit 40570375356c (\"tcp: add accessors\nto read/set tp->snd_cwnd\") has paid off :)\n\nWhile we are at it, address potential overflows in this code.\n\n[1]\nWARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nModules linked in:\nCPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]\nRIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nCode: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff\nRSP: 0018:ffffc900079e70f8 EFLAGS: 00010287\nRAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000\nRDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f\nRBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520\nR10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50\nR13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000\nFS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n <TASK>\n tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356\n tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861\n tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973\n tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476\n sk_backlog_rcv include/net/sock.h:1061 [inline]\n __release_sock+0x1d8/0x4c0 net/core/sock.c:2849\n release_sock+0x5d/0x1c0 net/core/sock.c:3404\n sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145\n tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410\n tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n __sys_sendto+0x439/0x5c0 net/socket.c:2119\n __do_sys_sendto net/socket.c:2131 [inline]\n __se_sys_sendto net/socket.c:2127 [inline]\n __x64_sys_sendto+0xda/0xf0 net/socket.c:2127\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f6431289109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109\nRDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a\nRBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000"
}
],
"affected": [
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"versions": [
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "29e13f6b38f0816af2012e0725507754e8f4569c",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "42726877453afdbe1508a8a96884ea907741d9a7",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "f2845e1504a3bc4f3381394f057e8b63cb5f3f7a",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "602b338e3c3cd7f935f3f5011882961d074e5ac1",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "9ba2b4ac35935f05ac98cff722f36ba07d62270e",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "aa7f333efd1138a68517a6a6a69ae540dd59d800",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "38ca71a24cd4845021eed35fd2594d89dba9a5a8",
"status": "affected",
"versionType": "git"
},
{
"version": "5d424d5a674f782d0659a3b66d951f412901faee",
"lessThan": "11825765291a93d8e7f44230da67b9f607c777bf",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/ipv4/tcp_input.c"
],
"versions": [
{
"version": "2.6.17",
"status": "affected"
},
{
"version": "0",
"lessThan": "2.6.17",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.9.318",
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.14.283",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "4.19.247",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.4.198",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.10.122",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.15.47",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.17.15",
"lessThanOrEqual": "5.17.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.18.4",
"lessThanOrEqual": "5.18.*",
"status": "unaffected",
"versionType": "semver"
},
{
"version": "5.19",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"operator": "OR",
"negate": false,
"cpeMatch": [
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "4.9.318"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "4.14.283"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "4.19.247"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "5.4.198"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "5.10.122"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "5.15.47"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "5.17.15"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "5.18.4"
},
{
"vulnerable": true,
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "2.6.17",
"versionEndExcluding": "5.19"
}
]
}
]
}
],
"references": [
{
"url": "https://git.kernel.org/stable/c/29e13f6b38f0816af2012e0725507754e8f4569c"
},
{
"url": "https://git.kernel.org/stable/c/42726877453afdbe1508a8a96884ea907741d9a7"
},
{
"url": "https://git.kernel.org/stable/c/f2845e1504a3bc4f3381394f057e8b63cb5f3f7a"
},
{
"url": "https://git.kernel.org/stable/c/602b338e3c3cd7f935f3f5011882961d074e5ac1"
},
{
"url": "https://git.kernel.org/stable/c/9ba2b4ac35935f05ac98cff722f36ba07d62270e"
},
{
"url": "https://git.kernel.org/stable/c/90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc"
},
{
"url": "https://git.kernel.org/stable/c/aa7f333efd1138a68517a6a6a69ae540dd59d800"
},
{
"url": "https://git.kernel.org/stable/c/38ca71a24cd4845021eed35fd2594d89dba9a5a8"
},
{
"url": "https://git.kernel.org/stable/c/11825765291a93d8e7f44230da67b9f607c777bf"
}
],
"title": "tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038",
"cveID": "CVE-2022-49330",
"requesterUserId": "gregkh@kernel.org",
"serial": "1",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.0"
}