CVE-2022-48855
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
16/07/2024
Last modified:
23/07/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
sctp: fix kernel-infoleak for SCTP sockets<br />
<br />
syzbot reported a kernel infoleak [1] of 4 bytes.<br />
<br />
After analysis, it turned out r->idiag_expires is not initialized<br />
if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()<br />
<br />
Make sure to clear idiag_timer/idiag_retrans/idiag_expires<br />
and let inet_diag_msg_sctpasoc_fill() fill them again if needed.<br />
<br />
[1]<br />
<br />
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]<br />
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]<br />
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668<br />
instrument_copy_to_user include/linux/instrumented.h:121 [inline]<br />
copyout lib/iov_iter.c:154 [inline]<br />
_copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668<br />
copy_to_iter include/linux/uio.h:162 [inline]<br />
simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519<br />
__skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425<br />
skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533<br />
skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]<br />
netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977<br />
sock_recvmsg_nosec net/socket.c:948 [inline]<br />
sock_recvmsg net/socket.c:966 [inline]<br />
__sys_recvfrom+0x795/0xa10 net/socket.c:2097<br />
__do_sys_recvfrom net/socket.c:2115 [inline]<br />
__se_sys_recvfrom net/socket.c:2111 [inline]<br />
__x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
Uninit was created at:<br />
slab_post_alloc_hook mm/slab.h:737 [inline]<br />
slab_alloc_node mm/slub.c:3247 [inline]<br />
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975<br />
kmalloc_reserve net/core/skbuff.c:354 [inline]<br />
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426<br />
alloc_skb include/linux/skbuff.h:1158 [inline]<br />
netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248<br />
__netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373<br />
netlink_dump_start include/linux/netlink.h:254 [inline]<br />
inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341<br />
sock_diag_rcv_msg+0x24a/0x620<br />
netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494<br />
sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277<br />
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]<br />
netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343<br />
netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919<br />
sock_sendmsg_nosec net/socket.c:705 [inline]<br />
sock_sendmsg net/socket.c:725 [inline]<br />
sock_write_iter+0x594/0x690 net/socket.c:1061<br />
do_iter_readv_writev+0xa7f/0xc70<br />
do_iter_write+0x52c/0x1500 fs/read_write.c:851<br />
vfs_writev fs/read_write.c:924 [inline]<br />
do_writev+0x645/0xe00 fs/read_write.c:967<br />
__do_sys_writev fs/read_write.c:1040 [inline]<br />
__se_sys_writev fs/read_write.c:1037 [inline]<br />
__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037<br />
do_syscall_x64 arch/x86/entry/common.c:51 [inline]<br />
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82<br />
entry_SYSCALL_64_after_hwframe+0x44/0xae<br />
<br />
Bytes 68-71 of 2508 are uninitialized<br />
Memory access of size 2508 starts at ffff888114f9b000<br />
Data copied to user address 00007f7fe09ff2e0<br />
<br />
CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0<br />
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Impact
Base Score 3.x
7.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.7 (including) | 4.9.307 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.10 (including) | 4.14.272 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.15 (including) | 4.19.235 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.20 (including) | 5.4.185 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.5 (including) | 5.10.106 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.11 (including) | 5.15.29 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.16 (including) | 5.16.15 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/1502f15b9f29c41883a6139f2923523873282a83
- https://git.kernel.org/stable/c/2d8fa3fdf4542a2174a72d92018f488d65d848c5
- https://git.kernel.org/stable/c/3fc0fd724d199e061432b66a8d85b7d48fe485f7
- https://git.kernel.org/stable/c/41a2864cf719c17294f417726edd411643462ab8
- https://git.kernel.org/stable/c/633593a808980f82d251d0ca89730d8bb8b0220c
- https://git.kernel.org/stable/c/b7e4d9ba2ddb78801488b4c623875b81fb46b545
- https://git.kernel.org/stable/c/bbf59d7ae558940cfa2b36a287fd1e88d83f89f8
- https://git.kernel.org/stable/c/d828b0fe6631f3ae8709ac9a10c77c5836c76a08