FKIE_CVE-2022-49094

Vulnerability from fkie_nvd - Published: 2025-02-26 07:00 - Updated: 2025-09-23 16:41
Severity ?
7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 5.18
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C388193-E002-43D1-9296-FE6FEC623F34",
              "versionEndExcluding": "5.4.189",
              "versionStartIncluding": "5.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "96258501-7BCE-4C55-8A38-8AC9D327626D",
              "versionEndExcluding": "5.10.111",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D25878D3-7761-4E9F-8919-E92CD53896E0",
              "versionEndExcluding": "5.15.34",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABBBA66E-0244-4621-966B-9790AF1EEB00",
              "versionEndExcluding": "5.16.20",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "AE420AC7-1E59-4398-B84F-71F4B4337762",
              "versionEndExcluding": "5.17.3",
              "versionStartIncluding": "5.17",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:5.18:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "6AD94161-84BB-42E6-9882-4FC0C42E9FC1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix slab-out-of-bounds bug in decrypt_internal\n\nThe memory size of tls_ctx-\u003erx.iv for AES128-CCM is 12 setting in\ntls_set_sw_offload(). The return value of crypto_aead_ivsize()\nfor \"ccm(aes)\" is 16. So memcpy() require 16 bytes from 12 bytes\nmemory space will trigger slab-out-of-bounds bug as following:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]\nRead of size 16 at addr ffff888114e84e60 by task tls/10911\n\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_report+0xab/0x120\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_check_range+0xf9/0x1e0\n memcpy+0x20/0x60\n decrypt_internal+0x385/0xc40 [tls]\n ? tls_get_rec+0x2e0/0x2e0 [tls]\n ? process_rx_list+0x1a5/0x420 [tls]\n ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls]\n decrypt_skb_update+0x9d/0x400 [tls]\n tls_sw_recvmsg+0x3c8/0xb50 [tls]\n\nAllocated by task 10911:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n tls_set_sw_offload+0x2eb/0xa20 [tls]\n tls_setsockopt+0x68c/0x700 [tls]\n __sys_setsockopt+0xfe/0x1b0\n\nReplace the crypto_aead_ivsize() with prot-\u003eiv_size + prot-\u003esalt_size\nwhen memcpy() iv value in TLS_1_3_VERSION scenario."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/tls: corrige el error de slab fuera de los l\u00edmites en decrypt_internal El tama\u00f1o de memoria de tls_ctx-\u0026gt;rx.iv para AES128-CCM es 12 configurado en tls_set_sw_offload(). El valor de retorno de crypto_aead_ivsize() para \"ccm(aes)\" es 16. Por lo tanto, memcpy() requiere 16 bytes de 12 bytes de espacio de memoria y activar\u00e1 un error de losa fuera de los l\u00edmites de la siguiente manera: ========================================================================= ERROR: KASAN: losa fuera de los l\u00edmites en decrypt_internal+0x385/0xc40 [tls] Lectura de tama\u00f1o 16 en la direcci\u00f3n ffff888114e84e60 por la tarea tls/10911 Seguimiento de llamadas:  dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Asignado por la tarea 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Reemplace crypto_aead_ivsize() con prot-\u0026gt;iv_size + prot-\u0026gt;salt_size cuando el valor iv de memcpy() est\u00e9 en Escenario TLS_1_3_VERSION."
    }
  ],
  "id": "CVE-2022-49094",
  "lastModified": "2025-09-23T16:41:29.130",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2025-02-26T07:00:46.747",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-125"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.