摘要:
In the Linux kernel, the following vulnerability has been resolved:ipv6: sr: fix out-of-bounds read when setting HMAC data.The SRv6 layer allows defining HMAC data that can later be used to sign IPv6Segment Routing Headers. This configuration is realised via netlink throughfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN andSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actuallength of the SECRET attribute, it is possible to provide invalid combinations(e.g., secret = , secretlen = 64). This case is not checked in the code andwith an appropriately crafted netlink message, an out-of-bounds read of upto 64 bytes (max secret length) can occur past the skb end pointer and intoskb_shared_info:Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208208 memcpy(hinfo->secret, secret, slen);(gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921...(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end$1 = 0xffff88800b1b76c0(gdb) p/x secret$2 = 0xffff88800b1b76c0(gdb) p slen$3 = 64 @ The OOB data can then be read back from userspace by dumping HMAC state. Thiscommit fixes this by ensuring SECRETLEN cannot exceed the actual length ofSECRET.
安全等级: Low
公告ID: KylinSec-SA-2024-2779
发布日期: 2024年8月30日
关联CVE: CVE-2022-48687
In the Linux kernel, the following vulnerability has been resolved:ipv6: sr: fix out-of-bounds read when setting HMAC data.The SRv6 layer allows defining HMAC data that can later be used to sign IPv6Segment Routing Headers. This configuration is realised via netlink throughfour attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN andSEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actuallength of the SECRET attribute, it is possible to provide invalid combinations(e.g., secret = , secretlen = 64). This case is not checked in the code andwith an appropriately crafted netlink message, an out-of-bounds read of upto 64 bytes (max secret length) can occur past the skb end pointer and intoskb_shared_info:Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208208 memcpy(hinfo->secret, secret, slen);(gdb) bt #0 seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208 #1 0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600, extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>, family=<optimized out>) at net/netlink/genetlink.c:731 #2 0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00, family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775 #3 genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792 #4 0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>) at net/netlink/af_netlink.c:2501 #5 0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803 #6 0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000) at net/netlink/af_netlink.c:1319 #7 netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>) at net/netlink/af_netlink.c:1345 #8 0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921...(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end$1 = 0xffff88800b1b76c0(gdb) p/x secret$2 = 0xffff88800b1b76c0(gdb) p slen$3 = 64 @ The OOB data can then be read back from userspace by dumping HMAC state. Thiscommit fixes this by ensuring SECRETLEN cannot exceed the actual length ofSECRET.
| cve名称 | 产品 | 组件 | 是否受影响 |
|---|
