| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022640-CVE-2022-49340-419b@gregkh> Date: Wed, 26 Feb 2025 03:10:14 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2022-49340: ip_gre: test csum_start instead of transport header Description =========== In the Linux kernel, the following vulnerability has been resolved: ip_gre: test csum_start instead of transport header GRE with TUNNEL_CSUM will apply local checksum offload on CHECKSUM_PARTIAL packets. ipgre_xmit must validate csum_start after an optional skb_pull, else lco_csum may trigger an overflow. The original check was if (csum && skb_checksum_start(skb) < skb->data) return -EINVAL; This had false positives when skb_checksum_start is undefined: when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement was straightforward if (csum && skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_start(skb) < skb->data) return -EINVAL; But was eventually revised more thoroughly: - restrict the check to the only branch where needed, in an uncommon GRE path that uses header_ops and calls skb_pull. - test skb_transport_header, which is set along with csum_start in skb_partial_csum_set in the normal header_ops datapath. Turns out skbs can arrive in this branch without the transport header set, e.g., through BPF redirection. Revise the check back to check csum_start directly, and only if CHECKSUM_PARTIAL. Do leave the check in the updated location. Check field regardless of whether TUNNEL_CSUM is configured. The Linux kernel CVE team has assigned CVE-2022-49340 to this issue. Affected and fixed versions =========================== Issue introduced in 4.19.207 with commit 774430026bd9a472d08c5d3c33351a782315771a and fixed in 4.19.247 with commit 7596bd7920985f7fc8579a92e48bc53ce4475b21 Issue introduced in 5.4.148 with commit 3d32ce5472bb2ca720bef84089b85f76a705fd1a and fixed in 5.4.198 with commit 3d08bc3a5d9b2106f5c8bcf1adb73147824aa006 Issue introduced in 5.10.68 with commit 87b34cd6485192777f632f92d592f2a71d8801a6 and fixed in 5.10.122 with commit fbeb8dfa8b87ef259eef0c89e39b53962a3cf604 Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.15.47 with commit e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58 Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.17.15 with commit 0c92d813c7c9ca2212ecd879232e7d87362fce98 Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.18.4 with commit 0ffa268724656633af5f37a38c212326d98ebe8c Issue introduced in 5.15 with commit 8a0ed250f911da31a2aef52101bc707846a800ff and fixed in 5.19 with commit 8d21e9963bec1aad2280cdd034c8993033ef2948 Issue introduced in 5.14.7 with commit 4bf5d5224ffca069df4501ba5fcc6ded9c002ead Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-49340 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv4/ip_gre.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21 https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006 https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604 https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58 https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98 https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948
Powered by blists - more mailing lists