CVE-2022-50655
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ppp: associate skb with a device at tx
Syzkaller triggered flow dissector warning with the following:
r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0)
[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 [ 9.485929] skb_get_poff+0x53/0xa0 [ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 [ 9.485944] ? ppp_send_frame+0xc2/0x5b0 [ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 [ 9.485968] ? ppp_xmit_process+0x5b/0xb0 [ 9.485974] ? ppp_write+0x12a/0x190 [ 9.485981] ? do_iter_write+0x18e/0x2d0 [ 9.485987] ? __import_iovec+0x30/0x130 [ 9.485997] ? do_pwritev+0x1b6/0x240 [ 9.486016] ? trace_hardirqs_on+0x47/0x50 [ 9.486023] ? __x64_sys_pwritev+0x24/0x30 [ 9.486026] ? do_syscall_64+0x3d/0x80 [ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd
Flow dissector tries to find skb net namespace either via device or via socket. Neigher is set in ppp_send_frame, so let's manually use ppp->dev.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 < 7da524781c531ebaf2f94c9dc4c541b82edecfed | affected |
| Linux | Linux | d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 < 148dcbd3af039ae39c3af697a3183008c7995805 | affected |
| Linux | Linux | d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 < 4b8f3b939266c90f03b7cc7e26a4c28c7b64137b | affected |
| Linux | Linux | d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 < 18dc946360bfe0de016a59e3cc3ee1f450fceb9d | affected |
| Linux | Linux | d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 < ee678b1f52f9439e930db2db3fd7e345d03e1a50 | affected |
| Linux | Linux | d58e468b1112dcd1d5193c0a89ff9f98b5a3e8b9 < 9f225444467b98579cf28d94f4ad053460dfdb84 | affected |
| Linux | Linux | 4.20 | affected |
| Linux | Linux | 0 < 4.20 | unaffected |
| Linux | Linux | 5.4.229 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.163 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.86 <= 5.15.* | unaffected |
| Linux | Linux | 6.0.16 <= 6.0.* | unaffected |
| Linux | Linux | 6.1.2 <= 6.1.* | unaffected |
| Linux | Linux | 6.2 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/7da524781c531ebaf2f94c9dc4c541b82edecfed
- https://git.kernel.org/stable/c/148dcbd3af039ae39c3af697a3183008c7995805
- https://git.kernel.org/stable/c/4b8f3b939266c90f03b7cc7e26a4c28c7b64137b
- https://git.kernel.org/stable/c/18dc946360bfe0de016a59e3cc3ee1f450fceb9d
- https://git.kernel.org/stable/c/ee678b1f52f9439e930db2db3fd7e345d03e1a50
- https://git.kernel.org/stable/c/9f225444467b98579cf28d94f4ad053460dfdb84
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.