CVE-2022-48687 Information

Description

In the Linux kernel the following vulnerability has been resolved:

ipv6: sr: fix out-of-bounds read when setting HMAC data.

The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID SEG6_ATTR_SECRET SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute it is possible to provide invalid combinations (e.g. secret = \ secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info:

Breakpoint 1 seg6_genl_sethmac (skb= info=) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret secret slen); (gdb) bt 0 seg6_genl_sethmac (skb= info=) at net/ipv6/seg6.c:208 1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00 nlh=nlh@entry=0xffff88800b1b7600 extack=extack@entry=0xffffc90000ba7af0 ops=ops@entry=0xffffc90000ba7a80 hdrlen=4 net=0xffffffff84237580 <init_net> family= family=) at net/netlink/genetlink.c:731 2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0 nlh=0xffff88800b1b7600 skb=0xffff88800b1f9f00 family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 3 genl_rcv_msg (skb=0xffff88800b1f9f00 nlh=0xffff88800b1b7600 extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00 cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800 skb=0xffff88800b1f9f00 sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800 skb=skb@entry=0xffff88800b1f9f00 portid=portid@entry=0 nonblock=) at net/netlink/af_netlink.c:1345 8 0xffffffff81dff9a4 in netlink_sendmsg (sock= msg=0xffffc90000ba7e48 len=) at net/netlink/af_netlink.c:1921 … (gdb) p/x ((struct sk_buff )0xffff88800b1f9f00)->head + ((struct sk_buff )0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 ‘@’

The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET.

Reference

https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864 https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093 https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3 https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35