| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-49865: ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| ipv6: addrlabel: fix infoleak when sending struct ifaddrlblmsg to network |
| |
| When copying a `struct ifaddrlblmsg` to the network, __ifal_reserved |
| remained uninitialized, resulting in a 1-byte infoleak: |
| |
| BUG: KMSAN: kernel-network-infoleak in __netdev_start_xmit ./include/linux/netdevice.h:4841 |
| __netdev_start_xmit ./include/linux/netdevice.h:4841 |
| netdev_start_xmit ./include/linux/netdevice.h:4857 |
| xmit_one net/core/dev.c:3590 |
| dev_hard_start_xmit+0x1dc/0x800 net/core/dev.c:3606 |
| __dev_queue_xmit+0x17e8/0x4350 net/core/dev.c:4256 |
| dev_queue_xmit ./include/linux/netdevice.h:3009 |
| __netlink_deliver_tap_skb net/netlink/af_netlink.c:307 |
| __netlink_deliver_tap+0x728/0xad0 net/netlink/af_netlink.c:325 |
| netlink_deliver_tap net/netlink/af_netlink.c:338 |
| __netlink_sendskb net/netlink/af_netlink.c:1263 |
| netlink_sendskb+0x1d9/0x200 net/netlink/af_netlink.c:1272 |
| netlink_unicast+0x56d/0xf50 net/netlink/af_netlink.c:1360 |
| nlmsg_unicast ./include/net/netlink.h:1061 |
| rtnl_unicast+0x5a/0x80 net/core/rtnetlink.c:758 |
| ip6addrlbl_get+0xfad/0x10f0 net/ipv6/addrlabel.c:628 |
| rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 |
| ... |
| Uninit was created at: |
| slab_post_alloc_hook+0x118/0xb00 mm/slab.h:742 |
| slab_alloc_node mm/slub.c:3398 |
| __kmem_cache_alloc_node+0x4f2/0x930 mm/slub.c:3437 |
| __do_kmalloc_node mm/slab_common.c:954 |
| __kmalloc_node_track_caller+0x117/0x3d0 mm/slab_common.c:975 |
| kmalloc_reserve net/core/skbuff.c:437 |
| __alloc_skb+0x27a/0xab0 net/core/skbuff.c:509 |
| alloc_skb ./include/linux/skbuff.h:1267 |
| nlmsg_new ./include/net/netlink.h:964 |
| ip6addrlbl_get+0x490/0x10f0 net/ipv6/addrlabel.c:608 |
| rtnetlink_rcv_msg+0xb33/0x1570 net/core/rtnetlink.c:6082 |
| netlink_rcv_skb+0x299/0x550 net/netlink/af_netlink.c:2540 |
| rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6109 |
| netlink_unicast_kernel net/netlink/af_netlink.c:1319 |
| netlink_unicast+0x9ab/0xf50 net/netlink/af_netlink.c:1345 |
| netlink_sendmsg+0xebc/0x10f0 net/netlink/af_netlink.c:1921 |
| ... |
| |
| This patch ensures that the reserved field is always initialized. |
| |
| The Linux kernel CVE team has assigned CVE-2022-49865 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 4.9.334 with commit 568a47ff756f913e8b374c2af9d22cd2c772c744 |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 4.14.300 with commit 0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 4.19.267 with commit 6d26d0587abccb9835382a0b53faa7b9b1cd83e3 |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 5.4.225 with commit 58cd7fdc8c1e6c7873acc08f190069fed88d1c12 |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 5.10.155 with commit a033b86c7f7621fde31f0364af8986f43b44914f |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 5.15.79 with commit 2acb2779b147decd300c117683d5a32ce61c75d6 |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 6.0.9 with commit 49e92ba5ecd7d72ba369dde2ccff738edd028a47 |
| Issue introduced in 2.6.25 with commit 2a8cc6c89039e0530a3335954253b76ed0f9339a and fixed in 6.1 with commit c23fb2c82267638f9d206cb96bb93e1f93ad7828 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-49865 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/ipv6/addrlabel.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/568a47ff756f913e8b374c2af9d22cd2c772c744 |
| https://git.kernel.org/stable/c/0f85b7ae7c4b5d7b4bbf7ac653a733c181a8a2bf |
| https://git.kernel.org/stable/c/6d26d0587abccb9835382a0b53faa7b9b1cd83e3 |
| https://git.kernel.org/stable/c/58cd7fdc8c1e6c7873acc08f190069fed88d1c12 |
| https://git.kernel.org/stable/c/a033b86c7f7621fde31f0364af8986f43b44914f |
| https://git.kernel.org/stable/c/2acb2779b147decd300c117683d5a32ce61c75d6 |
| https://git.kernel.org/stable/c/49e92ba5ecd7d72ba369dde2ccff738edd028a47 |
| https://git.kernel.org/stable/c/c23fb2c82267638f9d206cb96bb93e1f93ad7828 |
