CVE-2022-48744

一、漏洞信息
 漏洞编号：[CVE-2022-48744](https://nvd.nist.gov/vuln/detail/CVE-2022-48744)
 漏洞归属组件：[kernel](https://gitee.com/src-openeuler/kernel)
 漏洞归属的版本：4.19.140,4.19.194,4.19.90,5.10.0,6.1.0,6.1.14,6.1.19,6.1.5,6.1.6,6.1.8,6.4.0,6.6.0
 CVSS V2.0分值：
  BaseScore：0.0 None
  Vector：CVSS：2.0/
 漏洞简述：
  In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Avoid field-overflowing memcpy()In preparation for FORTIFY_SOURCE performing compile-time and run-timefield bounds checking for memcpy(), memmove(), and memset(), avoidintentionally writing across neighboring fields.Use flexible arrays instead of zero-element arrays (which look like theyare always overflowing) and split the cross-field memcpy() into two halvesthat can be appropriately bounds-checked by the compiler.We were doing:	#define ETH_HLEN  14	#define VLAN_HLEN  4	...	#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)	...        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);	...        struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;        struct mlx5_wqe_data_seg *dseg = wqe->data;	...	memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);target is wqe->eth.inline_hdr.start (which the compiler sees as being2 bytes in size), but copying 18, intending to write across start(really vlan_tci, 2 bytes). The remaining 16 bytes get written intowqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr(8 bytes).struct mlx5e_tx_wqe {        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */        struct mlx5_wqe_data_seg   data[];               /*    32     0 */        /* size: 32, cachelines: 1, members: 3 */        /* last cacheline: 32 bytes */};struct mlx5_wqe_eth_seg {        u8                         swp_outer_l4_offset;  /*     0     1 */        u8                         swp_outer_l3_offset;  /*     1     1 */        u8                         swp_inner_l4_offset;  /*     2     1 */        u8                         swp_inner_l3_offset;  /*     3     1 */        u8                         cs_flags;             /*     4     1 */        u8                         swp_flags;            /*     5     1 */        __be16                     mss;                  /*     6     2 */        __be32                     flow_table_metadata;  /*     8     4 */        union {                struct {                        __be16     sz;                   /*    12     2 */                        u8         start[2];             /*    14     2 */                } inline_hdr;                            /*    12     4 */                struct {                        __be16     type;                 /*    12     2 */                        __be16     vlan_tci;             /*    14     2 */                } insert;                                /*    12     4 */                __be32             trailer;              /*    12     4 */        };                                               /*    12     4 */        /* size: 16, cachelines: 1, members: 9 */        /* last cacheline: 16 bytes */};struct mlx5_wqe_data_seg {        __be32                     byte_count;           /*     0     4 */        __be32                     lkey;                 /*     4     4 */        __be64                     addr;                 /*     8     8 */        /* size: 16, cachelines: 1, members: 3 */        /* last cacheline: 16 bytes */};So, split the memcpy() so the compiler can reason about the buffersizes. pahole  shows no size nor member offset changes to struct mlx5e_tx_wqenor struct mlx5e_umr_wqe.  objdump -d  shows no meaningful objectcode changes (i.e. only source line number induced differences andoptimizations).
 漏洞公开时间：2024-06-20 20:15:12
 漏洞创建时间：2024-06-20 21:53:50
 漏洞详情参考链接：
  https://nvd.nist.gov/vuln/detail/CVE-2022-48744
<details>
<summary>更多参考(点击展开)</summary>

| 参考来源 | 参考链接 | 来源链接 |
| ------- | -------- | -------- |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e |  |
| 416baaa9-dc9f-4396-8d5f-8c081fb06d67 | https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67 |  |
| suse_bugzilla | http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-48744 | https://bugzilla.suse.com/show_bug.cgi?id=1226696 |
| suse_bugzilla | https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2022/CVE-2022-48744.mbox | https://bugzilla.suse.com/show_bug.cgi?id=1226696 |
| suse_bugzilla | https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e | https://bugzilla.suse.com/show_bug.cgi?id=1226696 |
| suse_bugzilla | https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67 | https://bugzilla.suse.com/show_bug.cgi?id=1226696 |
| suse_bugzilla | https://www.cve.org/CVERecord?id=CVE-2022-48744 | https://bugzilla.suse.com/show_bug.cgi?id=1226696 |
| suse_bugzilla | https://bugzilla.redhat.com/show_bug.cgi?id=2293315 | https://bugzilla.suse.com/show_bug.cgi?id=1226696 |
| ubuntu | https://www.cve.org/CVERecord?id=CVE-2022-48744 | https://ubuntu.com/security/CVE-2022-48744 |
| ubuntu | https://git.kernel.org/linus/ad5185735f7dab342fdd0dd41044da4c9ccfef67 (5.17-rc3) | https://ubuntu.com/security/CVE-2022-48744 |
| ubuntu | https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e | https://ubuntu.com/security/CVE-2022-48744 |
| ubuntu | https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67 | https://ubuntu.com/security/CVE-2022-48744 |
| ubuntu | https://nvd.nist.gov/vuln/detail/CVE-2022-48744 | https://ubuntu.com/security/CVE-2022-48744 |
| ubuntu | https://launchpad.net/bugs/cve/CVE-2022-48744 | https://ubuntu.com/security/CVE-2022-48744 |
| ubuntu | https://security-tracker.debian.org/tracker/CVE-2022-48744 | https://ubuntu.com/security/CVE-2022-48744 |

</details>

漏洞分析指导链接：
  https://gitee.com/openeuler/cve-manager/blob/master/cve-vulner-manager/doc/md/manual.md
 漏洞数据来源:
  openBrain开源漏洞感知系统
 漏洞补丁信息：
  <details>
<summary>详情(点击展开)</summary>

| 影响的包 | 修复版本 | 修复补丁 | 问题引入补丁 | 来源  |
| ------- | -------- | ------- | -------- | --------- |
| linux |  | https://git.kernel.org/linus/ad5185735f7dab342fdd0dd41044da4c9ccfef67 | https://git.kernel.org/linus/b5503b994ed5ed8dbfe821317e7b5b38acb065c5 | ubuntu |

</details>

二、漏洞分析结构反馈
 影响性分析说明：
    In the Linux kernel, the following vulnerability has been resolved:net/mlx5e: Avoid field-overflowing memcpy()In preparation for FORTIFY_SOURCE performing compile-time and run-timefield bounds checking for memcpy(), memmove(), and memset(), avoidintentionally writing across neighboring fields.Use flexible arrays instead of zero-element arrays (which look like theyare always overflowing) and split the cross-field memcpy() into two halvesthat can be appropriately bounds-checked by the compiler.We were doing:#define ETH_HLEN  14#define VLAN_HLEN  4...#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)...    struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);...    struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;    struct mlx5_wqe_data_seg *dseg = wqe->data;...memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);target is wqe->eth.inline_hdr.start (which the compiler sees as being2 bytes in size), but copying 18, intending to write across start(really vlan_tci, 2 bytes). The remaining 16 bytes get written intowqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr(8 bytes).struct mlx5e_tx_wqe {struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 /struct mlx5_wqe_eth_seg eth; / 16 16 /struct mlx5_wqe_data_seg data[]; / 32 0 */    /* size: 32, cachelines: 1, members: 3 */    /* last cacheline: 32 bytes */};struct mlx5_wqe_eth_seg {u8 swp_outer_l4_offset; /* 0 1 /u8 swp_outer_l3_offset; / 1 1 /u8 swp_inner_l4_offset; / 2 1 /u8 swp_inner_l3_offset; / 3 1 /u8 cs_flags; / 4 1 /u8 swp_flags; / 5 1 /__be16 mss; / 6 2 /__be32 flow_table_metadata; / 8 4 /union {struct {__be16 sz; / 12 2 /u8 start[2]; / 14 2 /} inline_hdr; / 12 4 /struct {__be16 type; / 12 2 /__be16 vlan_tci; / 14 2 /} insert; / 12 4 /__be32 trailer; / 12 4 /}; / 12 4 */    /* size: 16, cachelines: 1, members: 9 */    /* last cacheline: 16 bytes */};struct mlx5_wqe_data_seg {__be32 byte_count; /* 0 4 /__be32 lkey; / 4 4 /__be64 addr; / 8 8 */    /* size: 16, cachelines: 1, members: 3 */    /* last cacheline: 16 bytes */};So, split the memcpy() so the compiler can reason about the buffersizes. pahole  shows no size nor member offset changes to struct mlx5e_tx_wqenor struct mlx5e_umr_wqe.  objdump -d  shows no meaningful objectcode changes (i.e. only source line number induced differences andoptimizations). 
 openEuler评分：
  5.5
 Vector：CVSS：2.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
 受影响版本排查(受影响/不受影响)：
  1.openEuler-20.03-LTS-SP4(4.19.90):受影响
2.openEuler-22.03-LTS-SP1(5.10.0):受影响
3.openEuler-22.03-LTS-SP3(5.10.0):受影响
4.openEuler-22.03-LTS-SP4(5.10.0):不受影响
5.master(6.1.0):不受影响
6.openEuler-24.03-LTS(6.6.0):不受影响
7.openEuler-24.03-LTS-Next(6.6.0):不受影响

修复是否涉及abi变化(是/否)：
  1.openEuler-20.03-LTS-SP4(4.19.90):否
2.openEuler-22.03-LTS-SP1(5.10.0):否
3.openEuler-22.03-LTS-SP3(5.10.0):否
4.master(6.1.0):否
5.openEuler-24.03-LTS(6.6.0):否
6.openEuler-24.03-LTS-Next(6.6.0):否
7.openEuler-22.03-LTS-SP4(5.10.0):否

三、漏洞修复
安全公告链接：https://www.openeuler.org/zh/security/safety-bulletin/detail/?id=openEuler-SA-2024-1839

src-openEuler/kernel
Closed

Content Risk Flag

Comments (29)

src-openEuler/kernelClosed .gitee-modal { width: 500px !important; }

Content Risk Flag

CVE-2022-48744

Comments (29)

Search

src-openEuler/kernel
Closed