5.5

CVE-2022-49340

ip_gre: test csum_start instead of transport header

In the Linux kernel, the following vulnerability has been resolved:

ip_gre: test csum_start instead of transport header

GRE with TUNNEL_CSUM will apply local checksum offload on
CHECKSUM_PARTIAL packets.

ipgre_xmit must validate csum_start after an optional skb_pull,
else lco_csum may trigger an overflow. The original check was

	if (csum && skb_checksum_start(skb) < skb->data)
		return -EINVAL;

This had false positives when skb_checksum_start is undefined:
when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement
was straightforward

	if (csum && skb->ip_summed == CHECKSUM_PARTIAL &&
	    skb_checksum_start(skb) < skb->data)
		return -EINVAL;

But was eventually revised more thoroughly:
- restrict the check to the only branch where needed, in an
  uncommon GRE path that uses header_ops and calls skb_pull.
- test skb_transport_header, which is set along with csum_start
  in skb_partial_csum_set in the normal header_ops datapath.

Turns out skbs can arrive in this branch without the transport
header set, e.g., through BPF redirection.

Revise the check back to check csum_start directly, and only if
CHECKSUM_PARTIAL. Do leave the check in the updated location.
Check field regardless of whether TUNNEL_CSUM is configured.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.19.207 < 4.19.247
LinuxLinux Kernel Version >= 5.4.148 < 5.4.198
LinuxLinux Kernel Version >= 5.10.68 < 5.10.122
LinuxLinux Kernel Version >= 5.14.7 < 5.15.47
LinuxLinux Kernel Version >= 5.16 < 5.17.15
LinuxLinux Kernel Version >= 5.18 < 5.18.4
LinuxLinux Kernel Version5.19 Updaterc1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.27% 0.183
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Es wurden noch keine Informationen zu CWE veröffentlicht.
https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98
Patch
https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c
Patch
https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006
Patch
https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21
Patch
https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948
Patch
https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58
Patch
https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604
Patch