| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022609-CVE-2022-49153-972a@gregkh>
Date: Wed, 26 Feb 2025 02:55:58 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49153: wireguard: socket: free skb in send6 when ipv6 is disabled
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
wireguard: socket: free skb in send6 when ipv6 is disabled
I got a memory leak report:
unreferenced object 0xffff8881191fc040 (size 232):
comm "kworker/u17:0", pid 23193, jiffies 4295238848 (age 3464.870s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<ffffffff814c3ef4>] slab_post_alloc_hook+0x84/0x3b0
[<ffffffff814c8977>] kmem_cache_alloc_node+0x167/0x340
[<ffffffff832974fb>] __alloc_skb+0x1db/0x200
[<ffffffff82612b5d>] wg_socket_send_buffer_to_peer+0x3d/0xc0
[<ffffffff8260e94a>] wg_packet_send_handshake_initiation+0xfa/0x110
[<ffffffff8260ec81>] wg_packet_handshake_send_worker+0x21/0x30
[<ffffffff8119c558>] process_one_work+0x2e8/0x770
[<ffffffff8119ca2a>] worker_thread+0x4a/0x4b0
[<ffffffff811a88e0>] kthread+0x120/0x160
[<ffffffff8100242f>] ret_from_fork+0x1f/0x30
In function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_
buffer_to_peer(), the semantics of send6() is required to free skb. But
when CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it
to fix this bug.
The Linux kernel CVE team has assigned CVE-2022-49153 to this issue.
Affected and fixed versions
===========================
Issue introduced in 5.6 with commit e7096c131e5161fa3b8e52a650d7719d2857adfd and fixed in 5.10.110 with commit 096f9d35cac0a0c95ffafc00db84786b665a4837
Issue introduced in 5.6 with commit e7096c131e5161fa3b8e52a650d7719d2857adfd and fixed in 5.15.33 with commit 402991a9771587acc2947cf6c4d689c5397f2258
Issue introduced in 5.6 with commit e7096c131e5161fa3b8e52a650d7719d2857adfd and fixed in 5.16.19 with commit ebcc492f4ba14bae54b898f1016a37b4282558d1
Issue introduced in 5.6 with commit e7096c131e5161fa3b8e52a650d7719d2857adfd and fixed in 5.17.2 with commit 0b19bcb753dbfb74710d12bb2761ec5ed706c726
Issue introduced in 5.6 with commit e7096c131e5161fa3b8e52a650d7719d2857adfd and fixed in 5.18 with commit bbbf962d9460194993ee1943a793a0a0af4a7fbf
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49153
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/wireguard/socket.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/096f9d35cac0a0c95ffafc00db84786b665a4837
https://git.kernel.org/stable/c/402991a9771587acc2947cf6c4d689c5397f2258
https://git.kernel.org/stable/c/ebcc492f4ba14bae54b898f1016a37b4282558d1
https://git.kernel.org/stable/c/0b19bcb753dbfb74710d12bb2761ec5ed706c726
https://git.kernel.org/stable/c/bbbf962d9460194993ee1943a793a0a0af4a7fbf
Powered by blists - more mailing lists