CVE-2022-48687

In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET.
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

21 Nov 2024, 07:33

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa - Patch () https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa - Patch
References () https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c - Patch () https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c - Patch
References () https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093 - Patch () https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093 - Patch
References () https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3 - Patch () https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3 - Patch
References () https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35 - Patch () https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35 - Patch
References () https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864 - Patch () https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864 - Patch
References () https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab - Patch () https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab - Patch

23 May 2024, 20:33

Type Values Removed Values Added
CWE CWE-125
References () https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa - () https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa - Patch
References () https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c - () https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c - Patch
References () https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093 - () https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093 - Patch
References () https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3 - () https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3 - Patch
References () https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35 - () https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35 - Patch
References () https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864 - () https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864 - Patch
References () https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab - () https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab - Patch
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux linux Kernel
Linux
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ipv6: sr: corrige lectura fuera de los límites al configurar datos HMAC. La capa SRv6 permite definir datos HMAC que luego pueden usarse para firmar encabezados de enrutamiento de segmentos IPv6. Esta configuración se realiza vía netlink a través de cuatro atributos: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN y SEG6_ATTR_ALGID. Debido a que el atributo SECRETLEN está desacoplado de la longitud real del atributo SECRET, es posible proporcionar combinaciones no válidas (por ejemplo, secret = "", secretlen = 64). Este caso no está marcado en el código y con un mensaje netlink manipulado apropiadamente, puede ocurrir una lectura fuera de los límites de hasta 64 bytes (longitud máxima del secreto) más allá del puntero final de skb y en skb_shared_info: Punto de interrupción 1, seg6_genl_sethmac (skb =, info=) en net/ipv6/seg6.c:208 208 memcpy(hinfo-&gt;secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=, info=) en net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 en genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@ entrada=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=, familia=) en net/netlink/ genetlink.c:731 #2 0xffffffff81e01435 en genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 ) en net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh= 0xffff88800b1b7600, extack=0xffffc90000ba7af0) en net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 en netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e013 50 ) en net/netlink/af_netlink.c: 2501 #5 0xffffffff81e00919 en genl_rcv (skb=0xffff88800b1f9f00) en net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae en netlink_unicast_kernel (ssk=0xffff888010eec800, f9f00, sk=0xffff888004aed000) en net/netlink/af_netlink.c:1319 # 7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=) en net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 en ( sock=, msg=0xffffc90000ba7e48, len=) en net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)-&gt;head + ( (struct sk_buff *)0xffff88800b1f9f00)-&gt;end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' Los datos OOB se pueden volver a leer desde el espacio de usuario volcando el estado HMAC. Esta confirmación soluciona este problema garantizando que SECRETLEN no pueda exceder la longitud real de SECRET.
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5

03 May 2024, 15:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-05-03 15:15

Updated : 2024-11-21 07:33


NVD link : CVE-2022-48687

Mitre link : CVE-2022-48687

CVE.ORG link : CVE-2022-48687


JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-125

Out-of-bounds Read