| From bippy-1.1.0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@kernel.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2022-49911: netfilter: ipset: enforce documented limit to prevent allocating huge memory |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| netfilter: ipset: enforce documented limit to prevent allocating huge memory |
| |
| Daniel Xu reported that the hash:net,iface type of the ipset subsystem does |
| not limit adding the same network with different interfaces to a set, which |
| can lead to huge memory usage or allocation failure. |
| |
| The quick reproducer is |
| |
| $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0 |
| $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0.0.0.0/0,kaf_$i timeout 0 -exist; done |
| |
| The backtrace when vmalloc fails: |
| |
| [Tue Oct 25 00:13:08 2022] ipset: vmalloc error: size 1073741848, exceeds total pages |
| <...> |
| [Tue Oct 25 00:13:08 2022] Call Trace: |
| [Tue Oct 25 00:13:08 2022] <TASK> |
| [Tue Oct 25 00:13:08 2022] dump_stack_lvl+0x48/0x60 |
| [Tue Oct 25 00:13:08 2022] warn_alloc+0x155/0x180 |
| [Tue Oct 25 00:13:08 2022] __vmalloc_node_range+0x72a/0x760 |
| [Tue Oct 25 00:13:08 2022] ? hash_netiface4_add+0x7c0/0xb20 |
| [Tue Oct 25 00:13:08 2022] ? __kmalloc_large_node+0x4a/0x90 |
| [Tue Oct 25 00:13:08 2022] kvmalloc_node+0xa6/0xd0 |
| [Tue Oct 25 00:13:08 2022] ? hash_netiface4_resize+0x99/0x710 |
| <...> |
| |
| The fix is to enforce the limit documented in the ipset(8) manpage: |
| |
| > The internal restriction of the hash:net,iface set type is that the same |
| > network prefix cannot be stored with more than 64 different interfaces |
| > in a single set. |
| |
| The Linux kernel CVE team has assigned CVE-2022-49911 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.11 with commit ccf0a4b7fc688561428290265e4effde41446668 and fixed in 5.15.78 with commit 42d20d5e24575c9afa2d66d9a51e7386db9514f5 |
| Issue introduced in 5.11 with commit ccf0a4b7fc688561428290265e4effde41446668 and fixed in 6.0.8 with commit a37ef32fe5956fe9248df68f6a61997845ba047e |
| Issue introduced in 5.11 with commit ccf0a4b7fc688561428290265e4effde41446668 and fixed in 6.1 with commit 510841da1fcc16f702440ab58ef0b4d82a9056b7 |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2022-49911 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/netfilter/ipset/ip_set_hash_gen.h |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/42d20d5e24575c9afa2d66d9a51e7386db9514f5 |
| https://git.kernel.org/stable/c/a37ef32fe5956fe9248df68f6a61997845ba047e |
| https://git.kernel.org/stable/c/510841da1fcc16f702440ab58ef0b4d82a9056b7 |
