CVE-2022-48744

EUVD-2022-53623

20.06.2024, 12:15

In the Linux kernel, the following vulnerability has been resolved:

net/mlx5e: Avoid field-overflowing memcpy()

In preparation for FORTIFY_SOURCE performing compile-time and run-time
field bounds checking for memcpy(), memmove(), and memset(), avoid
intentionally writing across neighboring fields.

Use flexible arrays instead of zero-element arrays (which look like they
are always overflowing) and split the cross-field memcpy() into two halves
that can be appropriately bounds-checked by the compiler.

We were doing:

	#define ETH_HLEN  14
	#define VLAN_HLEN  4
	...
	#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)
	...
        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);
	...
        struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;
        struct mlx5_wqe_data_seg *dseg = wqe->data;
	...
	memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);

target is wqe->eth.inline_hdr.start (which the compiler sees as being
2 bytes in size), but copying 18, intending to write across start
(really vlan_tci, 2 bytes). The remaining 16 bytes get written into
wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr
(8 bytes).

struct mlx5e_tx_wqe {
        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */
        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */
        struct mlx5_wqe_data_seg   data[];               /*    32     0 */

        /* size: 32, cachelines: 1, members: 3 */
        /* last cacheline: 32 bytes */
};

struct mlx5_wqe_eth_seg {
        u8                         swp_outer_l4_offset;  /*     0     1 */
        u8                         swp_outer_l3_offset;  /*     1     1 */
        u8                         swp_inner_l4_offset;  /*     2     1 */
        u8                         swp_inner_l3_offset;  /*     3     1 */
        u8                         cs_flags;             /*     4     1 */
        u8                         swp_flags;            /*     5     1 */
        __be16                     mss;                  /*     6     2 */
        __be32                     flow_table_metadata;  /*     8     4 */
        union {
                struct {
                        __be16     sz;                   /*    12     2 */
                        u8         start[2];             /*    14     2 */
                } inline_hdr;                            /*    12     4 */
                struct {
                        __be16     type;                 /*    12     2 */
                        __be16     vlan_tci;             /*    14     2 */
                } insert;                                /*    12     4 */
                __be32             trailer;              /*    12     4 */
        };                                               /*    12     4 */

        /* size: 16, cachelines: 1, members: 9 */
        /* last cacheline: 16 bytes */
};

struct mlx5_wqe_data_seg {
        __be32                     byte_count;           /*     0     4 */
        __be32                     lkey;                 /*     4     4 */
        __be64                     addr;                 /*     8     8 */

        /* size: 16, cachelines: 1, members: 3 */
        /* last cacheline: 16 bytes */
};

So, split the memcpy() so the compiler can reason about the buffer
sizes.

"pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe
nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object
code changes (i.e. only source line number induced differences and
optimizations).

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	LOW	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
linux	linux_kernel	4.9 ≤ 𝑥 < 5.10.248
linux	linux_kernel	5.11 ≤ 𝑥 < 5.16.6
linux	linux_kernel	5.17:rc1
linux	linux_kernel	5.17:rc2

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

linux

bookworm	6.1.106-3 fixed
bookworm (security)	6.1.112-1 fixed
bullseye	vulnerable
bullseye (security)	vulnerable
sid	6.11.6-1 fixed
trixie	6.11.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

linux

bionic	ignored
focal	needed
jammy	needed
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-allwinner-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws

bionic	ignored
focal	needed
jammy	needed
mantic	not-affected
noble	not-affected
trusty	not-affected
xenial	not-affected

linux-aws-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-aws-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-aws-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-aws-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-aws-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-aws-hwe

focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	ignored

linux-azure

bionic	ignored
focal	needed
jammy	needed
mantic	not-affected
noble	not-affected
trusty	ignored
xenial	ignored

linux-azure-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-azure-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-azure-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-azure-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-azure-fde

focal	ignored
jammy	needed
mantic	dne
noble	dne

linux-azure-fde-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-azure-fde-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-fde-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-azure-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-bluefield

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp

bionic	ignored
focal	needed
jammy	needed
mantic	not-affected
noble	not-affected
xenial	ignored

linux-gcp-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-gcp-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gcp-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gcp-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-gcp-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-gcp-fips

focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gke

focal	ignored
jammy	needed
mantic	dne
noble	not-affected

linux-gke-4.15

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gke-5.15

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-gke-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-gkeop

focal	needed
jammy	needed
mantic	dne
noble	dne

linux-gkeop-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-gkeop-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-hwe

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	ignored

linux-hwe-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-hwe-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-hwe-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-hwe-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-hwe-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-hwe-edge

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne
xenial	ignored

linux-ibm

focal	needed
jammy	needed
mantic	ignored
noble	not-affected

linux-ibm-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-ibm-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-intel

bionic	dne
focal	dne
jammy	dne
mantic	dne
noble	not-affected
trusty	dne
xenial	dne

linux-intel-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-intel-iot-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-intel-iotg

focal	dne
jammy	needed
mantic	dne
noble	dne

linux-intel-iotg-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-iot

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-kvm

bionic	ignored
focal	needed
jammy	needed
mantic	dne
noble	dne
xenial	not-affected

linux-laptop

focal	dne
jammy	dne
mantic	not-affected
noble	dne

linux-lowlatency

focal	dne
jammy	needed
mantic	not-affected
noble	not-affected

linux-lowlatency-hwe-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-lowlatency-hwe-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-lowlatency-hwe-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-lowlatency-hwe-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-lowlatency-hwe-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-lts-xenial

focal	dne
jammy	dne
mantic	dne
noble	dne
trusty	not-affected

linux-nvidia

focal	dne
jammy	needed
mantic	dne
noble	not-affected

linux-nvidia-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-nvidia-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-nvidia-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-nvidia-lowlatency

bionic	dne
focal	dne
jammy	dne
noble	not-affected
trusty	dne
xenial	dne

linux-oem

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oem-5.10

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.14

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-5.17

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-5.6

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oem-6.0

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-6.1

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-oem-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-oem-6.8

focal	dne
jammy	dne
mantic	dne
noble	not-affected

linux-oracle

bionic	ignored
focal	needed
jammy	needed
mantic	not-affected
noble	not-affected
xenial	ignored

linux-oracle-5.0

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.13

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.3

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-oracle-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-oracle-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-raspi

focal	needed
jammy	needed
mantic	not-affected
noble	not-affected

linux-raspi-5.4

bionic	ignored
focal	dne
jammy	dne
mantic	dne
noble	dne

linux-raspi-realtime

bionic	dne
focal	dne
jammy	dne
noble	dne
trusty	dne
xenial	dne

linux-raspi2

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-realtime

bionic	dne
focal	dne
jammy	ignored
noble	dne
trusty	dne
xenial	dne

linux-riscv

focal	ignored
jammy	ignored
mantic	not-affected
noble	not-affected

linux-riscv-5.11

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv-5.15

focal	needed
jammy	dne
mantic	dne
noble	dne

linux-riscv-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-riscv-5.8

focal	ignored
jammy	dne
mantic	dne
noble	dne

linux-riscv-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-riscv-6.8

bionic	dne
focal	dne
jammy	not-affected
noble	dne
trusty	dne
xenial	dne

linux-starfive

focal	dne
jammy	dne
mantic	not-affected
noble	dne

linux-starfive-5.19

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-starfive-6.2

focal	dne
jammy	ignored
mantic	dne
noble	dne

linux-starfive-6.5

focal	dne
jammy	not-affected
mantic	dne
noble	dne

linux-xilinx-zynqmp

focal	needed
jammy	needed
mantic	dne
noble	dne

openSUSE / SLES Releases

openSUSE Product

Release

kernel-64kb

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.60.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.60.1 fixed

kernel-default

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-default-base

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1.150500.6.33.8 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1.150500.6.33.8 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1.150400.24.62.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1.150500.6.33.8 fixed

kernel-docs

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.2 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.2 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.2 fixed

kernel-macros

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-obs-build

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-source

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-source-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.60.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.60.1 fixed

kernel-syms

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

kernel-syms-azure

suse enterprise sap 15 SP5	5.14.21-150500.33.60.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.33.60.1 fixed

kernel-zfcpdump

suse enterprise desktop 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise sap 15 SP5	5.14.21-150500.55.73.1 fixed
suse enterprise server 15 SP4	5.14.21-150400.24.128.1 fixed
suse enterprise server 15 SP5	5.14.21-150500.55.73.1 fixed

reiserfs-kmp-default

suse enterprise server 15 SP4

5.14.21-150400.24.128.1

fixed

Common Weakness Enumeration

CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://git.kernel.org/stable/c/49bcbe531f79fc35bb10020f7695f9f01e4f0ca8

https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e

https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67

https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e

https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67