CVE-2022-49754
7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved:
Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
Smatch Warning: net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy() 'mesh_tx->param' too small (48 vs 50)
Analysis:
'mesh_tx->param' is array of size 48. This is the destination. u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48.
But in the caller 'mesh_send' we reject only when len > 50. len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | b338d91703fae6f6afd67f3f75caa3b8f36ddef3 < ed818fd8c531abf561b379995ee7cc4c68029464 | affected |
| Linux | Linux | b338d91703fae6f6afd67f3f75caa3b8f36ddef3 < 2185e0fdbb2137f22a9dd9fcbf6481400d56299b | affected |
| Linux | Linux | 6.1 | affected |
| Linux | Linux | 0 < 6.1 | unaffected |
| Linux | Linux | 6.1.9 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://git.kernel.org/stable/c/ed818fd8c531abf561b379995ee7cc4c68029464
- https://git.kernel.org/stable/c/2185e0fdbb2137f22a9dd9fcbf6481400d56299b
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.