CVE-2022-49197

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> af_netlink: Fix shift out of bounds in group mask calculation<br /> <br /> When a netlink message is received, netlink_recvmsg() fills in the address<br /> of the sender. One of the fields is the 32-bit bitfield nl_groups, which<br /> carries the multicast group on which the message was received. The least<br /> significant bit corresponds to group 1, and therefore the highest group<br /> that the field can represent is 32. Above that, the UB sanitizer flags the<br /> out-of-bounds shift attempts.<br /> <br /> Which bits end up being set in such case is implementation defined, but<br /> it&amp;#39;s either going to be a wrong non-zero value, or zero, which is at least<br /> not misleading. Make the latter choice deterministic by always setting to 0<br /> for higher-numbered multicast groups.<br /> <br /> To get information about membership in groups &gt;= 32, userspace is expected<br /> to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO<br /> socket option.<br /> [0] https://lwn.net/Articles/147608/<br /> <br /> The way to trigger this issue is e.g. through monitoring the BRVLAN group:<br /> <br /> # bridge monitor vlan &amp;<br /> # ip link add name br type bridge<br /> <br /> Which produces the following citation:<br /> <br /> UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19<br /> shift exponent 32 is too large for 32-bit type &amp;#39;int&amp;#39;