CVE-2022-48687 (GCVE-0-2022-48687)

Vulnerability from cvelistv5 – Published: 2024-05-03 14:59 – Updated: 2025-05-04 08:21
VLAI?
Title
ipv6: sr: fix out-of-bounds read when setting HMAC data.
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
Vendor Product Version
Linux Linux Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < dc9dbd65c803af1607484fed5da50d41dc8dd864 (git)
Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < f684c16971ed5e77dfa25a9ad25b5297e1f58eab (git)
Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < 3df71e11a4773d775c3633c44319f7acdb89011c (git)
Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < 076f2479fc5a15c4a970ca3b5e57d42ba09a31fa (git)
Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < 55195563ec29f80f984237b743de0e2b6ba4d093 (git)
Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < 56ad3f475482bca55b0ae544031333018eb145b3 (git)
Affected: 4f4853dc1c9c1994f6f756eabdcc25374ff271d9 , < 84a53580c5d2138c7361c7c3eea5b31827e63b35 (git)
Create a notification for this product.
    Linux Linux Affected: 4.10
Unaffected: 0 , < 4.10 (semver)
Unaffected: 4.14.293 , ≤ 4.14.* (semver)
Unaffected: 4.19.258 , ≤ 4.19.* (semver)
Unaffected: 5.4.213 , ≤ 5.4.* (semver)
Unaffected: 5.10.143 , ≤ 5.10.* (semver)
Unaffected: 5.15.68 , ≤ 5.15.* (semver)
Unaffected: 5.19.9 , ≤ 5.19.* (semver)
Unaffected: 6.0 , ≤ * (original_commit_for_fix)
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48687",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T20:39:43.146783Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-30T15:44:49.267Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.722Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/seg6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dc9dbd65c803af1607484fed5da50d41dc8dd864",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "f684c16971ed5e77dfa25a9ad25b5297e1f58eab",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "3df71e11a4773d775c3633c44319f7acdb89011c",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "076f2479fc5a15c4a970ca3b5e57d42ba09a31fa",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "55195563ec29f80f984237b743de0e2b6ba4d093",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "56ad3f475482bca55b0ae544031333018eb145b3",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "84a53580c5d2138c7361c7c3eea5b31827e63b35",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/seg6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.213",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.293",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.258",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.213",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.143",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.68",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19.9",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.0",
                  "versionStartIncluding": "4.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo-\u003esecret, secret, slen);\n(gdb) bt\n #0  seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\n #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 \u003cinit_net\u003e, family=\u003coptimized out\u003e,\n    family=\u003coptimized out\u003e) at net/netlink/genetlink.c:731\n #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n    family=0xffffffff82fef6c0 \u003cseg6_genl_family\u003e) at net/netlink/genetlink.c:775\n #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 \u003cgenl_rcv_msg\u003e)\n    at net/netlink/af_netlink.c:2501\n #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n    at net/netlink/af_netlink.c:1319\n #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=\u003coptimized out\u003e)\n    at net/netlink/af_netlink.c:1345\n #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=\u003coptimized out\u003e, msg=0xffffc90000ba7e48, len=\u003coptimized out\u003e) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)-\u003ehead + ((struct sk_buff *)0xffff88800b1f9f00)-\u003eend\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 \u0027@\u0027\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:21:05.103Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864"
        },
        {
          "url": "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab"
        },
        {
          "url": "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c"
        },
        {
          "url": "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093"
        },
        {
          "url": "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35"
        }
      ],
      "title": "ipv6: sr: fix out-of-bounds read when setting HMAC data.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48687",
    "datePublished": "2024-05-03T14:59:32.099Z",
    "dateReserved": "2024-05-03T14:55:07.144Z",
    "dateUpdated": "2025-05-04T08:21:05.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-03T15:17:55.722Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2022-48687\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-12T20:39:43.146783Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-12T20:39:53.363Z\"}}], \"cna\": {\"title\": \"ipv6: sr: fix out-of-bounds read when setting HMAC data.\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"dc9dbd65c803af1607484fed5da50d41dc8dd864\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"f684c16971ed5e77dfa25a9ad25b5297e1f58eab\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"3df71e11a4773d775c3633c44319f7acdb89011c\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"55195563ec29f80f984237b743de0e2b6ba4d093\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"56ad3f475482bca55b0ae544031333018eb145b3\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"4f4853dc1c9c1994f6f756eabdcc25374ff271d9\", \"lessThan\": \"84a53580c5d2138c7361c7c3eea5b31827e63b35\", \"versionType\": \"git\"}], \"programFiles\": [\"net/ipv6/seg6.c\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.10\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"4.10\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"4.14.293\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.14.*\"}, {\"status\": \"unaffected\", \"version\": \"4.19.258\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"4.19.*\"}, {\"status\": \"unaffected\", \"version\": \"5.4.213\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.4.*\"}, {\"status\": \"unaffected\", \"version\": \"5.10.143\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.10.*\"}, {\"status\": \"unaffected\", \"version\": \"5.15.68\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.15.*\"}, {\"status\": \"unaffected\", \"version\": \"5.19.9\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"5.19.*\"}, {\"status\": \"unaffected\", \"version\": \"6.0\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"net/ipv6/seg6.c\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864\"}, {\"url\": \"https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab\"}, {\"url\": \"https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c\"}, {\"url\": \"https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\"}, {\"url\": \"https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093\"}, {\"url\": \"https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3\"}, {\"url\": \"https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix out-of-bounds read when setting HMAC data.\\n\\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\\nSegment Routing Headers. This configuration is realised via netlink through\\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\\nlength of the SECRET attribute, it is possible to provide invalid combinations\\n(e.g., secret = \\\"\\\", secretlen = 64). This case is not checked in the code and\\nwith an appropriately crafted netlink message, an out-of-bounds read of up\\nto 64 bytes (max secret length) can occur past the skb end pointer and into\\nskb_shared_info:\\n\\nBreakpoint 1, seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\\n208\\t\\tmemcpy(hinfo-\u003esecret, secret, slen);\\n(gdb) bt\\n #0  seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\\n #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\\n    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 \u003cinit_net\u003e, family=\u003coptimized out\u003e,\\n    family=\u003coptimized out\u003e) at net/netlink/genetlink.c:731\\n #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\\n    family=0xffffffff82fef6c0 \u003cseg6_genl_family\u003e) at net/netlink/genetlink.c:775\\n #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\\n #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 \u003cgenl_rcv_msg\u003e)\\n    at net/netlink/af_netlink.c:2501\\n #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\\n #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\\n    at net/netlink/af_netlink.c:1319\\n #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=\u003coptimized out\u003e)\\n    at net/netlink/af_netlink.c:1345\\n #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=\u003coptimized out\u003e, msg=0xffffc90000ba7e48, len=\u003coptimized out\u003e) at net/netlink/af_netlink.c:1921\\n...\\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)-\u003ehead + ((struct sk_buff *)0xffff88800b1f9f00)-\u003eend\\n$1 = 0xffff88800b1b76c0\\n(gdb) p/x secret\\n$2 = 0xffff88800b1b76c0\\n(gdb) p slen\\n$3 = 64 \u0027@\u0027\\n\\nThe OOB data can then be read back from userspace by dumping HMAC state. This\\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\\nSECRET.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.14.293\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"4.19.258\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.4.213\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.10.143\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.15.68\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"5.19.9\", \"versionStartIncluding\": \"4.10\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.0\", \"versionStartIncluding\": \"4.10\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T08:21:05.103Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2022-48687\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-04T08:21:05.103Z\", \"dateReserved\": \"2024-05-03T14:55:07.144Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-05-03T14:59:32.099Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.