cve-2022-48687
Vulnerability from cvelistv5
Published
2024-05-03 14:59
Modified
2024-12-19 08:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: ipv6: sr: fix out-of-bounds read when setting HMAC data. The SRv6 layer allows defining HMAC data that can later be used to sign IPv6 Segment Routing Headers. This configuration is realised via netlink through four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual length of the SECRET attribute, it is possible to provide invalid combinations (e.g., secret = "", secretlen = 64). This case is not checked in the code and with an appropriately crafted netlink message, an out-of-bounds read of up to 64 bytes (max secret length) can occur past the skb end pointer and into skb_shared_info: Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 208 memcpy(hinfo->secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 '@' The OOB data can then be read back from userspace by dumping HMAC state. This commit fixes this by ensuring SECRETLEN cannot exceed the actual length of SECRET.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31faPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011cPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eabPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31faPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011cPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eabPatch
Impacted products
Vendor Product Version
Linux Linux Version: 4.10
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2022-48687",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-12T20:39:43.146783Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-30T15:44:49.267Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T15:17:55.722Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/seg6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dc9dbd65c803af1607484fed5da50d41dc8dd864",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "f684c16971ed5e77dfa25a9ad25b5297e1f58eab",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "3df71e11a4773d775c3633c44319f7acdb89011c",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "076f2479fc5a15c4a970ca3b5e57d42ba09a31fa",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "55195563ec29f80f984237b743de0e2b6ba4d093",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "56ad3f475482bca55b0ae544031333018eb145b3",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            },
            {
              "lessThan": "84a53580c5d2138c7361c7c3eea5b31827e63b35",
              "status": "affected",
              "version": "4f4853dc1c9c1994f6f756eabdcc25374ff271d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/seg6.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.10"
            },
            {
              "lessThan": "4.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.258",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.213",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.143",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.68",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.19.*",
              "status": "unaffected",
              "version": "5.19.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.0",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: sr: fix out-of-bounds read when setting HMAC data.\n\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\nSegment Routing Headers. This configuration is realised via netlink through\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\nlength of the SECRET attribute, it is possible to provide invalid combinations\n(e.g., secret = \"\", secretlen = 64). This case is not checked in the code and\nwith an appropriately crafted netlink message, an out-of-bounds read of up\nto 64 bytes (max secret length) can occur past the skb end pointer and into\nskb_shared_info:\n\nBreakpoint 1, seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\n208\t\tmemcpy(hinfo-\u003esecret, secret, slen);\n(gdb) bt\n #0  seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\n #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\n    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 \u003cinit_net\u003e, family=\u003coptimized out\u003e,\n    family=\u003coptimized out\u003e) at net/netlink/genetlink.c:731\n #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\n    family=0xffffffff82fef6c0 \u003cseg6_genl_family\u003e) at net/netlink/genetlink.c:775\n #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\n #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 \u003cgenl_rcv_msg\u003e)\n    at net/netlink/af_netlink.c:2501\n #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\n #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\n    at net/netlink/af_netlink.c:1319\n #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=\u003coptimized out\u003e)\n    at net/netlink/af_netlink.c:1345\n #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=\u003coptimized out\u003e, msg=0xffffc90000ba7e48, len=\u003coptimized out\u003e) at net/netlink/af_netlink.c:1921\n...\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)-\u003ehead + ((struct sk_buff *)0xffff88800b1f9f00)-\u003eend\n$1 = 0xffff88800b1b76c0\n(gdb) p/x secret\n$2 = 0xffff88800b1b76c0\n(gdb) p slen\n$3 = 64 \u0027@\u0027\n\nThe OOB data can then be read back from userspace by dumping HMAC state. This\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\nSECRET."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-12-19T08:05:34.926Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864"
        },
        {
          "url": "https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab"
        },
        {
          "url": "https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c"
        },
        {
          "url": "https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093"
        },
        {
          "url": "https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3"
        },
        {
          "url": "https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35"
        }
      ],
      "title": "ipv6: sr: fix out-of-bounds read when setting HMAC data.",
      "x_generator": {
        "engine": "bippy-5f407fcff5a0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-48687",
    "datePublished": "2024-05-03T14:59:32.099Z",
    "dateReserved": "2024-05-03T14:55:07.144Z",
    "dateUpdated": "2024-12-19T08:05:34.926Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2022-48687\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-03T15:15:07.723\",\"lastModified\":\"2024-11-21T07:33:47.033\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nipv6: sr: fix out-of-bounds read when setting HMAC data.\\n\\nThe SRv6 layer allows defining HMAC data that can later be used to sign IPv6\\nSegment Routing Headers. This configuration is realised via netlink through\\nfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and\\nSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual\\nlength of the SECRET attribute, it is possible to provide invalid combinations\\n(e.g., secret = \\\"\\\", secretlen = 64). This case is not checked in the code and\\nwith an appropriately crafted netlink message, an out-of-bounds read of up\\nto 64 bytes (max secret length) can occur past the skb end pointer and into\\nskb_shared_info:\\n\\nBreakpoint 1, seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\\n208\\t\\tmemcpy(hinfo-\u003esecret, secret, slen);\\n(gdb) bt\\n #0  seg6_genl_sethmac (skb=\u003coptimized out\u003e, info=\u003coptimized out\u003e) at net/ipv6/seg6.c:208\\n #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,\\n    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 \u003cinit_net\u003e, family=\u003coptimized out\u003e,\\n    family=\u003coptimized out\u003e) at net/netlink/genetlink.c:731\\n #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,\\n    family=0xffffffff82fef6c0 \u003cseg6_genl_family\u003e) at net/netlink/genetlink.c:775\\n #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792\\n #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 \u003cgenl_rcv_msg\u003e)\\n    at net/netlink/af_netlink.c:2501\\n #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803\\n #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)\\n    at net/netlink/af_netlink.c:1319\\n #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=\u003coptimized out\u003e)\\n    at net/netlink/af_netlink.c:1345\\n #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=\u003coptimized out\u003e, msg=0xffffc90000ba7e48, len=\u003coptimized out\u003e) at net/netlink/af_netlink.c:1921\\n...\\n(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)-\u003ehead + ((struct sk_buff *)0xffff88800b1f9f00)-\u003eend\\n$1 = 0xffff88800b1b76c0\\n(gdb) p/x secret\\n$2 = 0xffff88800b1b76c0\\n(gdb) p slen\\n$3 = 64 \u0027@\u0027\\n\\nThe OOB data can then be read back from userspace by dumping HMAC state. This\\ncommit fixes this by ensuring SECRETLEN cannot exceed the actual length of\\nSECRET.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: ipv6: sr: corrige lectura fuera de los l\u00edmites al configurar datos HMAC. La capa SRv6 permite definir datos HMAC que luego pueden usarse para firmar encabezados de enrutamiento de segmentos IPv6. Esta configuraci\u00f3n se realiza v\u00eda netlink a trav\u00e9s de cuatro atributos: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN y SEG6_ATTR_ALGID. Debido a que el atributo SECRETLEN est\u00e1 desacoplado de la longitud real del atributo SECRET, es posible proporcionar combinaciones no v\u00e1lidas (por ejemplo, secret = \\\"\\\", secretlen = 64). Este caso no est\u00e1 marcado en el c\u00f3digo y con un mensaje netlink manipulado apropiadamente, puede ocurrir una lectura fuera de los l\u00edmites de hasta 64 bytes (longitud m\u00e1xima del secreto) m\u00e1s all\u00e1 del puntero final de skb y en skb_shared_info: Punto de interrupci\u00f3n 1, seg6_genl_sethmac (skb =, info=) en net/ipv6/seg6.c:208 208 memcpy(hinfo-\u0026gt;secret, secret, slen); (gdb) bt #0 seg6_genl_sethmac (skb=, info=) en net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 en genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@ entrada=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 , family=, familia=) en net/netlink/ genetlink.c:731 #2 0xffffffff81e01435 en genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 ) en net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh= 0xffff88800b1b7600, extack=0xffffc90000ba7af0) en net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 en netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e013 50 ) en net/netlink/af_netlink.c: 2501 #5 0xffffffff81e00919 en genl_rcv (skb=0xffff88800b1f9f00) en net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae en netlink_unicast_kernel (ssk=0xffff888010eec800, f9f00, sk=0xffff888004aed000) en net/netlink/af_netlink.c:1319 # 7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=) en net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 en ( sock=, msg=0xffffc90000ba7e48, len=) en net/netlink/af_netlink.c:1921 ... (gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)-\u0026gt;head + ( (struct sk_buff *)0xffff88800b1f9f00)-\u0026gt;end $1 = 0xffff88800b1b76c0 (gdb) p/x secret $2 = 0xffff88800b1b76c0 (gdb) p slen $3 = 64 \u0027@\u0027 Los datos OOB se pueden volver a leer desde el espacio de usuario volcando el estado HMAC. Esta confirmaci\u00f3n soluciona este problema garantizando que SECRETLEN no pueda exceder la longitud real de SECRET.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":5.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.8,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-125\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.10\",\"versionEndExcluding\":\"4.14.298\",\"matchCriteriaId\":\"7140B9A2-EB63-497C-96B1-68A96CD99051\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.15\",\"versionEndExcluding\":\"4.19.258\",\"matchCriteriaId\":\"253D30F5-3734-4663-883A-288786D3B66E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.20\",\"versionEndExcluding\":\"5.4.213\",\"matchCriteriaId\":\"4C373116-9E23-44BA-A6B7-87C8BF5C3B85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.5\",\"versionEndExcluding\":\"5.10.143\",\"matchCriteriaId\":\"E77EECF5-C31E-4342-8014-AA844BB83A76\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.11\",\"versionEndExcluding\":\"5.15.68\",\"matchCriteriaId\":\"C440CED2-FE3C-495D-839C-857FFC6F523A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.16\",\"versionEndExcluding\":\"5.19.9\",\"matchCriteriaId\":\"B4895A99-6E1B-4C76-A510-FDED00AD7D29\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/076f2479fc5a15c4a970ca3b5e57d42ba09a31fa\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/3df71e11a4773d775c3633c44319f7acdb89011c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/55195563ec29f80f984237b743de0e2b6ba4d093\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/56ad3f475482bca55b0ae544031333018eb145b3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/84a53580c5d2138c7361c7c3eea5b31827e63b35\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/dc9dbd65c803af1607484fed5da50d41dc8dd864\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f684c16971ed5e77dfa25a9ad25b5297e1f58eab\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.