CVE-2022-48651

In the Linux kernel, the following vulnerability has been resolved:

ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header

If an AF_PACKET socket is used to send packets through ipvlan and the default xmit function of the AF_PACKET socket is changed from dev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option name of PACKET_QDISC_BYPASS, the skb->mac_header may not be reset and remains as the initial value of 65535, this may trigger slab-out-of-bounds bugs as following:

================================================================= UG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] PU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6 ardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 all Trace: print_address_description.constprop.0+0x1d/0x160 print_report.cold+0x4f/0x112 kasan_report+0xa3/0x130 ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan] ipvlan_start_xmit+0x29/0xa0 [ipvlan] __dev_direct_xmit+0x2e2/0x380 packet_direct_xmit+0x22/0x60 packet_snd+0x7c9/0xc40 sock_sendmsg+0x9a/0xa0 __sys_sendto+0x18a/0x230 __x64_sys_sendto+0x74/0x90 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The root cause is:

1. packet_snd() only reset skb->mac_header when sock->type is SOCK_RAW and skb->protocol is not specified as in packet_parse_headers()

2. packet_direct_xmit() doesnt reset skb->mac_header as dev_queue_xmit()

In this case, skb->mac_header is 65535 when ipvlan_xmit_mode_l2() is called. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which use skb->head + skb->mac_header, out-of-bound access occurs.

This patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2() and reset mac header in multicast to solve this out-of-bound bug.

Weakness

The product reads data past the end, or before the beginning, of the intended buffer.

Affected Software

Potential Mitigations

• Assume all input is malicious. Use an “accept known good” input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
• When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, “boat” may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as “red” or “blue.”
• Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code’s environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
• To reduce the likelihood of introducing an out-of-bounds read, ensure that you validate and ensure correct calculations for any length argument, buffer size calculation, or offset. Be especially careful of relying on a sentinel (i.e. special character such as NUL) in untrusted inputs.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/540.html

References

• https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca
• https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be
• https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4
• https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7
• https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638
• https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241
• https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef
• https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4
• https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca
• https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be
• https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4
• https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7
• https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638
• https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241
• https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef
• https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4