CVE-2022-49340

ip_gre: test csum_start instead of transport header

Time Line

Published

2024-03-19

Updated

2024-03-19

Firt exploit

2024-03-19

Overview

Descriptions (1)

MITRE

CWE (0)

CAPEC (-)

Risk

CVSS Score

SSVC

KEV

EPSS

Affected Products (-)

Vendors (1)

linux

Products (1)

linux_kernel

Versions (8)

>= 4.19.207 < 4.19.247, >= 5.4.148 < 5.4.198, >= 5.10.68 < 5.10.122, >= 5.15 < 5.15.47, >= 5.15 < 5.17.15, >= 5.15 < 5.18.4, >= 5.15 < 5.19, 5.14.7

Intel Resources (-)

Advisories (-)

Exploits (-)

Plugins (-)

References (12)

General (5)

kernel

Exploits & POcs (-)

Patches (7)

kernel

Advisories (-)

Summary

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved: ip_gre: test csum_start instead of transport header GRE with TUNNEL_CSUM will apply local checksum offload on
CHECKSUM_PARTIAL packets. ipgre_xmit must validate csum_start after an optional skb_pull,
else lco_csum may trigger an overflow. The original check was if (csum && skb_checksum_start(skb) < skb->data) return -EINVAL; This had false positives when skb_checksum_start is undefined:
when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement
was straightforward if (csum && skb->ip_summed == CHECKSUM_PARTIAL && skb_checksum_start(skb) < skb->data) return -EINVAL; But was eventually revised more thoroughly:
- restrict the check to the only branch where needed, in an uncommon GRE path that uses header_ops and calls skb_pull.
- test skb_transport_header, which is set along with csum_start in skb_partial_csum_set in the normal header_ops datapath. Turns out skbs can arrive in this branch without the transport
header set, e.g., through BPF redirection. Revise the check back to check csum_start directly, and only if
CHECKSUM_PARTIAL. Do leave the check in the updated location.
Check field regardless of whether TUNNEL_CSUM is configured.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2025-02-26 CVE Reserved
2025-02-26 CVE Published
2025-02-26 CVE Updated
---------- EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

Threat Intelligence Resources (0)

Advisories (0)
Exploits (0)

Security Advisory details:

Select an advisory to view details here.

Select	Title	Date

Select an exploit to view details here.

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/774430026bd9a472d08c5d3c33351a782315771a	Vuln. Introduced
https://git.kernel.org/stable/c/3d32ce5472bb2ca720bef84089b85f76a705fd1a	Vuln. Introduced
https://git.kernel.org/stable/c/87b34cd6485192777f632f92d592f2a71d8801a6	Vuln. Introduced
https://git.kernel.org/stable/c/8a0ed250f911da31a2aef52101bc707846a800ff	Vuln. Introduced
https://git.kernel.org/stable/c/4bf5d5224ffca069df4501ba5fcc6ded9c002ead	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21	2022-06-14
https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006	2022-06-14
https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604	2022-06-14
https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58	2022-06-14
https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98	2022-06-14
https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c	2022-06-14
https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948	2022-06-09

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.207 < 4.19.247 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.207 < 4.19.247"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.148 < 5.4.198 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.148 < 5.4.198"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.68 < 5.10.122 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.68 < 5.10.122"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.15.47 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.15.47"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.17.15 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.17.15"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.18.4 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.18.4"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15 < 5.19 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15 < 5.19"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.14.7 Search vendor "Linux" for product "Linux Kernel" and version "5.14.7"		en		Affected

CVE-2022-49340

ip_gre: test csum_start instead of transport header

Severity Score

Exploit Likelihood

Affected Versions

Public Exploits

Exploited in Wild

Decision

Summary

Descriptions

CVSS Scores

SSVC

Timeline

CWE

CAPEC

Threat Intelligence Resources (0)

References (12)

Affected Vendors, Products, and Versions