CVE-2022-49197 Information

Description

In the Linux kernel the following vulnerability has been resolved:

af_netlink: Fix shift out of bounds in group mask calculation

When a netlink message is received netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups which carries the multicast group on which the message was received. The least significant bit corresponds to group 1 and therefore the highest group that the field can represent is 32. Above that the UB sanitizer flags the out-of-bounds shift attempts.

Which bits end up being set in such case is implementation defined but it’s either going to be a wrong non-zero value or zero which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups.

To get information about membership in groups >= 32 userspace is expected to use nl_pktinfo control messages[0] which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/

The way to trigger this issue is e.g. through monitoring the BRVLAN group:

 bridge monitor vlan &
 ip link add name br type bridge

Which produces the following citation:

UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19
shift exponent 32 is too large for 32-bit type 'int'

Reference

https://git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9f https://git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4 https://git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07a https://git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5a https://git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bac https://git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42 https://git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234ae https://git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a https://git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435ee