fkie_cve-2022-49330
Vulnerability from fkie_nvd
Published
2025-02-26 07:01
Modified
2025-02-26 07:01
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd syzbot got a new report [1] finally pointing to a very old bug, added in initial support for MTU probing. tcp_mtu_probe() has checks about starting an MTU probe if tcp_snd_cwnd(tp) >= 11. But nothing prevents tcp_snd_cwnd(tp) to be reduced later and before the MTU probe succeeds. This bug would lead to potential zero-divides. Debugging added in commit 40570375356c ("tcp: add accessors to read/set tp->snd_cwnd") has paid off :) While we are at it, address potential overflows in this code. [1] WARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712 Modules linked in: CPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline] RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712 Code: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287 RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000 RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520 R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50 R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000 FS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356 tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861 tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973 tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476 sk_backlog_rcv include/net/sock.h:1061 [inline] __release_sock+0x1d8/0x4c0 net/core/sock.c:2849 release_sock+0x5d/0x1c0 net/core/sock.c:3404 sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145 tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410 tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448 sock_sendmsg_nosec net/socket.c:714 [inline] sock_sendmsg net/socket.c:734 [inline] __sys_sendto+0x439/0x5c0 net/socket.c:2119 __do_sys_sendto net/socket.c:2131 [inline] __se_sys_sendto net/socket.c:2127 [inline] __x64_sys_sendto+0xda/0xf0 net/socket.c:2127 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f6431289109 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109 RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/11825765291a93d8e7f44230da67b9f607c777bf
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/29e13f6b38f0816af2012e0725507754e8f4569c
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/38ca71a24cd4845021eed35fd2594d89dba9a5a8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/42726877453afdbe1508a8a96884ea907741d9a7
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/602b338e3c3cd7f935f3f5011882961d074e5ac1
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ba2b4ac35935f05ac98cff722f36ba07d62270e
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/aa7f333efd1138a68517a6a6a69ae540dd59d800
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f2845e1504a3bc4f3381394f057e8b63cb5f3f7a
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntcp: fix tcp_mtup_probe_success vs wrong snd_cwnd\n\nsyzbot got a new report [1] finally pointing to a very old bug,\nadded in initial support for MTU probing.\n\ntcp_mtu_probe() has checks about starting an MTU probe if\ntcp_snd_cwnd(tp) \u003e= 11.\n\nBut nothing prevents tcp_snd_cwnd(tp) to be reduced later\nand before the MTU probe succeeds.\n\nThis bug would lead to potential zero-divides.\n\nDebugging added in commit 40570375356c (\"tcp: add accessors\nto read/set tp-\u003esnd_cwnd\") has paid off :)\n\nWhile we are at it, address potential overflows in this code.\n\n[1]\nWARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nModules linked in:\nCPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]\nRIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712\nCode: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 \u003c0f\u003e 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff\nRSP: 0018:ffffc900079e70f8 EFLAGS: 00010287\nRAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000\nRDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f\nRBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520\nR10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50\nR13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000\nFS:  00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356\n tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861\n tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973\n tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476\n sk_backlog_rcv include/net/sock.h:1061 [inline]\n __release_sock+0x1d8/0x4c0 net/core/sock.c:2849\n release_sock+0x5d/0x1c0 net/core/sock.c:3404\n sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145\n tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410\n tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448\n sock_sendmsg_nosec net/socket.c:714 [inline]\n sock_sendmsg net/socket.c:734 [inline]\n __sys_sendto+0x439/0x5c0 net/socket.c:2119\n __do_sys_sendto net/socket.c:2131 [inline]\n __se_sys_sendto net/socket.c:2127 [inline]\n __x64_sys_sendto+0xda/0xf0 net/socket.c:2127\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x46/0xb0\nRIP: 0033:0x7f6431289109\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\nRAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109\nRDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a\nRBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000\nR13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000"
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd syzbot recibi\u00f3 un nuevo informe [1] que finalmente apunta a un error muy antiguo, agregado en el soporte inicial para el sondeo de MTU. tcp_mtu_probe() tiene comprobaciones sobre el inicio de un sondeo de MTU si tcp_snd_cwnd(tp) \u0026gt;= 11. Pero nada impide que tcp_snd_cwnd(tp) se reduzca m\u00e1s tarde y antes de que el sondeo de MTU tenga \u00e9xito. Este error conducir\u00eda a posibles divisiones por cero. La depuraci\u00f3n agregada en el commit 40570375356c (\"tcp: add accessors to read/set tp-\u0026gt;snd_cwnd\") ha valido la pena :) Mientras estamos en ello, aborde los posibles desbordamientos en este c\u00f3digo. [1] ADVERTENCIA: CPU: 1 PID: 14132 en include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712 M\u00f3dulos vinculados en: CPU: 1 PID: 14132 Comm: syz-executor.2 No contaminado 5.18.0-syzkaller-07857-gbabf0bb978e3 #0 Nombre del hardware: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [en l\u00ednea] RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712 C\u00f3digo: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 \u0026lt;0f\u0026gt; 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287 RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000 RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520 R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50 R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000 FS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0 DR0: 00000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Seguimiento de llamadas:  tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356 tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861 tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973 tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476 sk_backlog_rcv include/net/sock.h:1061 [en l\u00ednea] __release_sock+0x1d8/0x4c0 net/core/sock.c:2849 release_sock+0x5d/0x1c0 net/core/sock.c:3404 sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145 tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410 tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448 sock_sendmsg_nosec net/socket.c:714 [en l\u00ednea] sock_sendmsg net/socket.c:734 [en l\u00ednea] __sys_sendto+0x439/0x5c0 net/socket.c:2119 __do_sys_sendto net/socket.c:2131 [en l\u00ednea] __se_sys_sendto net/socket.c:2127 [en l\u00ednea] __x64_sys_sendto+0xda/0xf0 net/socket.c:2127 do_syscall_x64 arch/x86/entry/common.c:50 [en l\u00ednea] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entrada_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f6431289109 C\u00f3digo: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u0026lt;48\u0026gt; 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109 RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: 00000000000000246 R12: 0000000000000000 R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000"
    }
  ],
  "id": "CVE-2022-49330",
  "lastModified": "2025-02-26T07:01:09.797",
  "metrics": {},
  "published": "2025-02-26T07:01:09.797",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/11825765291a93d8e7f44230da67b9f607c777bf"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/29e13f6b38f0816af2012e0725507754e8f4569c"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/38ca71a24cd4845021eed35fd2594d89dba9a5a8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/42726877453afdbe1508a8a96884ea907741d9a7"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/602b338e3c3cd7f935f3f5011882961d074e5ac1"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/90385f2b65d0cd2b3b1ac8909f0cc6dd31062cfc"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/9ba2b4ac35935f05ac98cff722f36ba07d62270e"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/aa7f333efd1138a68517a6a6a69ae540dd59d800"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/f2845e1504a3bc4f3381394f057e8b63cb5f3f7a"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.