| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022659-CVE-2022-49094-9749@gregkh> Date: Wed, 26 Feb 2025 02:54:59 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49094: net/tls: fix slab-out-of-bounds bug in decrypt_internal Description =========== In the Linux kernel, the following vulnerability has been resolved: net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario. The Linux kernel CVE team has assigned CVE-2022-49094 to this issue. Affected and fixed versions =========================== Issue introduced in 5.2 with commit f295b3ae9f5927e084bd5decdff82390e3471801 and fixed in 5.4.189 with commit 2b7d14c105dd8f6412eda5a91e1e6154653731e3 Issue introduced in 5.2 with commit f295b3ae9f5927e084bd5decdff82390e3471801 and fixed in 5.10.111 with commit 589154d0f18945f41d138a5b4e49e518d294474b Issue introduced in 5.2 with commit f295b3ae9f5927e084bd5decdff82390e3471801 and fixed in 5.15.34 with commit 6e2f1b033b17dedda51d465861b69e58317d6343 Issue introduced in 5.2 with commit f295b3ae9f5927e084bd5decdff82390e3471801 and fixed in 5.16.20 with commit 29be1816cbab9a0dc6243120939fd10a92753756 Issue introduced in 5.2 with commit f295b3ae9f5927e084bd5decdff82390e3471801 and fixed in 5.17.3 with commit 2304660ab6c425df64d95301b601424c6a50f28b Issue introduced in 5.2 with commit f295b3ae9f5927e084bd5decdff82390e3471801 and fixed in 5.18 with commit 9381fe8c849cfbe50245ac01fc077554f6eaa0e2 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49094 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/tls/tls_sw.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3 https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474b https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343 https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756 https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28b https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2
Powered by blists - more mailing lists