cve/published/2022/CVE-2022-49340.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49340: ip_gre: test csum_start instead of transport header

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ip_gre: test csum_start instead of transport header

 GRE with TUNNEL_CSUM will apply local checksum offload on
 CHECKSUM_PARTIAL packets.

 ipgre_xmit must validate csum_start after an optional skb_pull,
 else lco_csum may trigger an overflow. The original check was

 	if (csum && skb_checksum_start(skb) < skb->data)
 		return -EINVAL;

 This had false positives when skb_checksum_start is undefined:
 when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement
 was straightforward

 	if (csum && skb->ip_summed == CHECKSUM_PARTIAL &&
 	    skb_checksum_start(skb) < skb->data)
 		return -EINVAL;

 But was eventually revised more thoroughly:
 - restrict the check to the only branch where needed, in an
   uncommon GRE path that uses header_ops and calls skb_pull.
 - test skb_transport_header, which is set along with csum_start
   in skb_partial_csum_set in the normal header_ops datapath.

 Turns out skbs can arrive in this branch without the transport
 header set, e.g., through BPF redirection.

 Revise the check back to check csum_start directly, and only if
 CHECKSUM_PARTIAL. Do leave the check in the updated location.
 Check field regardless of whether TUNNEL_CSUM is configured.

 The Linux kernel CVE team has assigned CVE-2022-49340 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.19.207 with commit 774430026bd9a472d08c5d3c33351a782315771a and fixed in 4.19.247 with commit 7596bd7920985f7fc8579a92e48bc53ce4475b21
 	Issue introduced in 5.4.148 with commit 3d32ce5472bb2ca720bef84089b85f76a705fd1a and fixed in 5.4.198 with commit 3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
 	Issue introduced in 5.10.68 with commit 87b34cd6485192777f632f92d592f2a71d8801a6 and fixed in 5.10.122 with commit fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
 	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.15.47 with commit e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
 	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.17.15 with commit 0c92d813c7c9ca2212ecd879232e7d87362fce98
 	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.18.4 with commit 0ffa268724656633af5f37a38c212326d98ebe8c
 	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.19 with commit 8d21e9963bec1aad2280cdd034c8993033ef2948
 	Issue introduced in 5.14.7 with commit 4bf5d5224ffca069df4501ba5fcc6ded9c002ead

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49340
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/ip_gre.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21
 	https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
 	https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
 	https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
 	https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98
 	https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c
 	https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49340: ip_gre: test csum_start instead of transport header

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ip_gre: test csum_start instead of transport header

	GRE with TUNNEL_CSUM will apply local checksum offload on
	CHECKSUM_PARTIAL packets.

	ipgre_xmit must validate csum_start after an optional skb_pull,
	else lco_csum may trigger an overflow. The original check was

	if (csum && skb_checksum_start(skb) < skb->data)
	return -EINVAL;

	This had false positives when skb_checksum_start is undefined:
	when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement
	was straightforward

	if (csum && skb->ip_summed == CHECKSUM_PARTIAL &&
	skb_checksum_start(skb) < skb->data)
	return -EINVAL;

	But was eventually revised more thoroughly:
	- restrict the check to the only branch where needed, in an
	uncommon GRE path that uses header_ops and calls skb_pull.
	- test skb_transport_header, which is set along with csum_start
	in skb_partial_csum_set in the normal header_ops datapath.

	Turns out skbs can arrive in this branch without the transport
	header set, e.g., through BPF redirection.

	Revise the check back to check csum_start directly, and only if
	CHECKSUM_PARTIAL. Do leave the check in the updated location.
	Check field regardless of whether TUNNEL_CSUM is configured.

	The Linux kernel CVE team has assigned CVE-2022-49340 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.19.207 with commit 774430026bd9a472d08c5d3c33351a782315771a and fixed in 4.19.247 with commit 7596bd7920985f7fc8579a92e48bc53ce4475b21
	Issue introduced in 5.4.148 with commit 3d32ce5472bb2ca720bef84089b85f76a705fd1a and fixed in 5.4.198 with commit 3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
	Issue introduced in 5.10.68 with commit 87b34cd6485192777f632f92d592f2a71d8801a6 and fixed in 5.10.122 with commit fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.15.47 with commit e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.17.15 with commit 0c92d813c7c9ca2212ecd879232e7d87362fce98
	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.18.4 with commit 0ffa268724656633af5f37a38c212326d98ebe8c
	Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.19 with commit 8d21e9963bec1aad2280cdd034c8993033ef2948
	Issue introduced in 5.14.7 with commit 4bf5d5224ffca069df4501ba5fcc6ded9c002ead

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49340
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/ip_gre.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21
	https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
	https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
	https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
	https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98
	https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c
	https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948