| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025123014-CVE-2022-50816-3fda@gregkh> Date: Tue, 30 Dec 2025 13:09:20 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...nel.org> Subject: CVE-2022-50816: ipv6: ensure sane device mtu in tunnels From: Greg Kroah-Hartman <gregkh@...nel.org> Description =========== In the Linux kernel, the following vulnerability has been resolved: ipv6: ensure sane device mtu in tunnels Another syzbot report [1] with no reproducer hints at a bug in ip6_gre tunnel (dev:ip6gretap0) Since ipv6 mcast code makes sure to read dev->mtu once and applies a sanity check on it (see commit b9b312a7a451 "ipv6: mcast: better catch silly mtu values"), a remaining possibility is that a layer is able to set dev->mtu to an underflowed value (high order bit set). This could happen indeed in ip6gre_tnl_link_config_route(), ip6_tnl_link_config() and ipip6_tunnel_bind_dev() Make sure to sanitize mtu value in a local variable before it is written once on dev->mtu, as lockless readers could catch wrong temporary value. [1] skbuff: skb_over_panic: text:ffff80000b7a2f38 len:40 put:40 head:ffff000149dcf200 data:ffff000149dcf2b0 tail:0xd8 end:0xc0 dev:ip6gretap0 ------------[ cut here ]------------ kernel BUG at net/core/skbuff.c:120 Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP Modules linked in: CPU: 1 PID: 10241 Comm: kworker/1:1 Not tainted 6.0.0-rc7-syzkaller-18095-gbbed346d5a96 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/30/2022 Workqueue: mld mld_ifc_work pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : skb_panic+0x4c/0x50 net/core/skbuff.c:116 lr : skb_panic+0x4c/0x50 net/core/skbuff.c:116 sp : ffff800020dd3b60 x29: ffff800020dd3b70 x28: 0000000000000000 x27: ffff00010df2a800 x26: 00000000000000c0 x25: 00000000000000b0 x24: ffff000149dcf200 x23: 00000000000000c0 x22: 00000000000000d8 x21: ffff80000b7a2f38 x20: ffff00014c2f7800 x19: 0000000000000028 x18: 00000000000001a9 x17: 0000000000000000 x16: ffff80000db49158 x15: ffff000113bf1a80 x14: 0000000000000000 x13: 00000000ffffffff x12: ffff000113bf1a80 x11: ff808000081c0d5c x10: 0000000000000000 x9 : 73f125dc5c63ba00 x8 : 73f125dc5c63ba00 x7 : ffff800008161d1c x6 : 0000000000000000 x5 : 0000000000000080 x4 : 0000000000000001 x3 : 0000000000000000 x2 : ffff0001fefddcd0 x1 : 0000000100000000 x0 : 0000000000000089 Call trace: skb_panic+0x4c/0x50 net/core/skbuff.c:116 skb_over_panic net/core/skbuff.c:125 [inline] skb_put+0xd4/0xdc net/core/skbuff.c:2049 ip6_mc_hdr net/ipv6/mcast.c:1714 [inline] mld_newpack+0x14c/0x270 net/ipv6/mcast.c:1765 add_grhead net/ipv6/mcast.c:1851 [inline] add_grec+0xa20/0xae0 net/ipv6/mcast.c:1989 mld_send_cr+0x438/0x5a8 net/ipv6/mcast.c:2115 mld_ifc_work+0x38/0x290 net/ipv6/mcast.c:2653 process_one_work+0x2d8/0x504 kernel/workqueue.c:2289 worker_thread+0x340/0x610 kernel/workqueue.c:2436 kthread+0x12c/0x158 kernel/kthread.c:376 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860 Code: 91011400 aa0803e1 a90027ea 94373093 (d4210000) The Linux kernel CVE team has assigned CVE-2022-50816 to this issue. Affected and fixed versions =========================== Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 4.14.305 with commit 2bab6fa449d16af36d9c9518865f783a15f446c7 Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 4.19.272 with commit 78297d513157a31fd629626fe4cbb85a7dcbb94a Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 5.4.231 with commit af51fc23a03f02b0c6df09ab0d60f23794436052 Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 5.10.153 with commit 44affe7ede596f078c4f2f41e0d160266ccda818 Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 5.15.77 with commit ad3f1d9bf162c487d23df684852597961b745cae Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.0.7 with commit ccd94bd4939690e24d13e23814bce7ed853a09f3 Issue introduced in 3.7 with commit c12b395a46646bab69089ce7016ac78177f6001f and fixed in 6.1 with commit d89d7ff01235f218dad37de84457717f699dee79 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2022-50816 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ipv6/ip6_gre.c net/ipv6/ip6_tunnel.c net/ipv6/sit.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/2bab6fa449d16af36d9c9518865f783a15f446c7 https://git.kernel.org/stable/c/78297d513157a31fd629626fe4cbb85a7dcbb94a https://git.kernel.org/stable/c/af51fc23a03f02b0c6df09ab0d60f23794436052 https://git.kernel.org/stable/c/44affe7ede596f078c4f2f41e0d160266ccda818 https://git.kernel.org/stable/c/ad3f1d9bf162c487d23df684852597961b745cae https://git.kernel.org/stable/c/ccd94bd4939690e24d13e23814bce7ed853a09f3 https://git.kernel.org/stable/c/d89d7ff01235f218dad37de84457717f699dee79
Powered by blists - more mailing lists