fkie_cve-2022-48744
Vulnerability from fkie_nvd
Published
2024-06-20 12:15
Modified
2024-11-21 07:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid field-overflowing memcpy() In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields. Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler. We were doing: #define ETH_HLEN 14 #define VLAN_HLEN 4 ... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) ... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... struct mlx5_wqe_eth_seg *eseg = &wqe->eth; struct mlx5_wqe_data_seg *dseg = wqe->data; ... memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE); target is wqe->eth.inline_hdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlan_tci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr (8 bytes). struct mlx5e_tx_wqe { struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg data[]; /* 32 0 */ /* size: 32, cachelines: 1, members: 3 */ /* last cacheline: 32 bytes */ }; struct mlx5_wqe_eth_seg { u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ union { struct { __be16 sz; /* 12 2 */ u8 start[2]; /* 14 2 */ } inline_hdr; /* 12 4 */ struct { __be16 type; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insert; /* 12 4 */ __be32 trailer; /* 12 4 */ }; /* 12 4 */ /* size: 16, cachelines: 1, members: 9 */ /* last cacheline: 16 bytes */ }; struct mlx5_wqe_data_seg { __be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 addr; /* 8 8 */ /* size: 16, cachelines: 1, members: 3 */ /* last cacheline: 16 bytes */ }; So, split the memcpy() so the compiler can reason about the buffer sizes. "pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations).
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Avoid field-overflowing memcpy()\n\nIn preparation for FORTIFY_SOURCE performing compile-time and run-time\nfield bounds checking for memcpy(), memmove(), and memset(), avoid\nintentionally writing across neighboring fields.\n\nUse flexible arrays instead of zero-element arrays (which look like they\nare always overflowing) and split the cross-field memcpy() into two halves\nthat can be appropriately bounds-checked by the compiler.\n\nWe were doing:\n\n\t#define ETH_HLEN  14\n\t#define VLAN_HLEN  4\n\t...\n\t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)\n\t...\n        struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi);\n\t...\n        struct mlx5_wqe_eth_seg  *eseg = \u0026wqe-\u003eeth;\n        struct mlx5_wqe_data_seg *dseg = wqe-\u003edata;\n\t...\n\tmemcpy(eseg-\u003einline_hdr.start, xdptxd-\u003edata, MLX5E_XDP_MIN_INLINE);\n\ntarget is wqe-\u003eeth.inline_hdr.start (which the compiler sees as being\n2 bytes in size), but copying 18, intending to write across start\n(really vlan_tci, 2 bytes). The remaining 16 bytes get written into\nwqe-\u003edata[0], covering byte_count (4 bytes), lkey (4 bytes), and addr\n(8 bytes).\n\nstruct mlx5e_tx_wqe {\n        struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */\n        struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */\n        struct mlx5_wqe_data_seg   data[];               /*    32     0 */\n\n        /* size: 32, cachelines: 1, members: 3 */\n        /* last cacheline: 32 bytes */\n};\n\nstruct mlx5_wqe_eth_seg {\n        u8                         swp_outer_l4_offset;  /*     0     1 */\n        u8                         swp_outer_l3_offset;  /*     1     1 */\n        u8                         swp_inner_l4_offset;  /*     2     1 */\n        u8                         swp_inner_l3_offset;  /*     3     1 */\n        u8                         cs_flags;             /*     4     1 */\n        u8                         swp_flags;            /*     5     1 */\n        __be16                     mss;                  /*     6     2 */\n        __be32                     flow_table_metadata;  /*     8     4 */\n        union {\n                struct {\n                        __be16     sz;                   /*    12     2 */\n                        u8         start[2];             /*    14     2 */\n                } inline_hdr;                            /*    12     4 */\n                struct {\n                        __be16     type;                 /*    12     2 */\n                        __be16     vlan_tci;             /*    14     2 */\n                } insert;                                /*    12     4 */\n                __be32             trailer;              /*    12     4 */\n        };                                               /*    12     4 */\n\n        /* size: 16, cachelines: 1, members: 9 */\n        /* last cacheline: 16 bytes */\n};\n\nstruct mlx5_wqe_data_seg {\n        __be32                     byte_count;           /*     0     4 */\n        __be32                     lkey;                 /*     4     4 */\n        __be64                     addr;                 /*     8     8 */\n\n        /* size: 16, cachelines: 1, members: 3 */\n        /* last cacheline: 16 bytes */\n};\n\nSo, split the memcpy() so the compiler can reason about the buffer\nsizes.\n\n\"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe\nnor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object\ncode changes (i.e. only source line number induced differences and\noptimizations)."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net/mlx5e: Evite el desbordamiento de campos memcpy() En preparaci\u00f3n para FORTIFY_SOURCE, se realizan comprobaciones de los l\u00edmites de campos en tiempo de compilaci\u00f3n y tiempo de ejecuci\u00f3n para memcpy(), memmove() y memset( ), evite escribir intencionalmente en campos vecinos. Utilice matrices flexibles en lugar de matrices de elementos cero (que parecen estar siempre desbordadas) y divida el campo cruzado memcpy() en dos mitades que el compilador pueda verificar adecuadamente los l\u00edmites. Est\u00e1bamos haciendo: #define ETH_HLEN 14 #define VLAN_HLEN 4... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN)... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... estructura mlx5_wqe_eth_seg *eseg = \u0026amp;wqe-\u0026gt;eth; struct mlx5_wqe_data_seg *dseg = wqe-\u0026gt;datos; ... memcpy(eseg-\u0026gt;inline_hdr.start, xdptxd-\u0026gt;data, MLX5E_XDP_MIN_INLINE); El objetivo es wqe-\u0026gt;eth.inline_hdr.start (que el compilador considera que tiene un tama\u00f1o de 2 bytes), pero copia 18, con la intenci\u00f3n de escribir a lo largo del inicio (en realidad, vlan_tci, 2 bytes). Los 16 bytes restantes se escriben en wqe-\u0026gt;data[0], cubriendo byte_count (4 bytes), lkey (4 bytes) y addr (8 bytes). estructura mlx5e_tx_wqe { estructura mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg datos[]; /* 32 0 */ /* tama\u00f1o: 32, l\u00edneas de cach\u00e9: 1, miembros: 3 */ /* \u00faltima l\u00ednea de cach\u00e9: 32 bytes */ }; struct mlx5_wqe_eth_seg { u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ uni\u00f3n { estructura { __be16 sz; /* 12 2 */ u8 inicio[2]; /* 14 2 */ } inline_hdr; /* 12 4 */ struct { __be16 tipo; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insertar; /* 12 4 */ __be32 remolque; /* 12 4 */ }; /* 12 4 */ /* tama\u00f1o: 16, l\u00edneas de cach\u00e9: 1, miembros: 9 */ /* \u00faltima l\u00ednea de cach\u00e9: 16 bytes */ }; struct mlx5_wqe_data_seg { __be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 direcci\u00f3n; /* 8 8 */ /* tama\u00f1o: 16, l\u00edneas de cach\u00e9: 1, miembros: 3 */ /* \u00faltima l\u00ednea de cach\u00e9: 16 bytes */ }; Entonces, divida memcpy() para que el compilador pueda razonar sobre los tama\u00f1os del b\u00fafer. \"pahole\" no muestra cambios de tama\u00f1o ni de compensaci\u00f3n de miembros en la estructura mlx5e_tx_wqe ni en la estructura mlx5e_umr_wqe. \"objdump -d\" no muestra cambios significativos en el c\u00f3digo objeto (es decir, solo diferencias y optimizaciones inducidas por el n\u00famero de l\u00ednea de origen)."
    }
  ],
  "id": "CVE-2022-48744",
  "lastModified": "2024-11-21T07:33:54.620",
  "metrics": {},
  "published": "2024-06-20T12:15:12.700",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/8fbdf8c8b8ab82beab882175157650452c46493e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://git.kernel.org/stable/c/ad5185735f7dab342fdd0dd41044da4c9ccfef67"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.