CVE-2022-48936

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-48936
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CVSS

No CVSS.

References

No reference.

Configurations

No configuration.

History

31 Aug 2024, 06:15

Type Values Removed Values Added
References
  • {'url': 'https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
  • {'url': 'https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73', 'tags': ['Patch'], 'source': '416baaa9-dc9f-4396-8d5f-8c081fb06d67'}
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: gso: no omita el encabezado de IP externo en caso de ipip y net_failover. Nos encontramos con un problema de caída de TCP en nuestro entorno de nube. El paquete GROed en el host se reenvía a una NIC virtio_net de VM con net_failover habilitado. VM actúa como IPVS LB con encapsulación ipip. La ruta completa como: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx Cuando net_failover transmite un paquete ipip (gso_type = 0x0103, que significa SKB_GSO_TCPV4, SKB_GSO_DODGY y SKB_GSO_IPXIP 4 ), no existe gso porque admite TSO y GSO_IPXIP4. Pero network_header apunta al encabezado IP interno. Seguimiento de llamadas: tcp4_gso_segment ------> return NULL inet_gso_segment ------> iph interno, network_header apunta a ipip_gso_segment inet_gso_segment ------> iph externo skb_mac_gso_segment Luego, virtio_net transmite el paquete, solo se muestra el encabezado de IP interno modificado. Y el exterior simplemente se mantiene sin cambios. El paquete se colocará en el host remoto. Seguimiento de llamadas: inet_gso_segment ------> iph interno, se omite el iph externo skb_mac_gso_segment __skb_gso_segment validar_xmit_skb validar_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------> virtio_net dev_hard_start_xmit __dev_queue_xmit --- ---> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit -- ----> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receiveceived_buf virtnet_poll net_rx_action La causa raíz de este problema es específica de la rara combinación de SKB_GSO_DODGY y un dispositivo de túnel que agrega una opción de túnel SKB_GSO_. SKB_GSO_DODGY se configura desde virtio_net externo. Necesitamos restablecer el encabezado de la red cuando callbacks.gso_segment() devuelve NULL. Este parche también incluye ipv6_gso_segment(), considerando SIT, etc.
Summary (en) In the Linux kernel, the following vulnerability has been resolved: gso: do not skip outer ip header in case of ipip and net_failover We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtio_net nic with net_failover enabled. VM acts as a IPVS LB with ipip encapsulation. The full path like: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx When net_failover transmits a ipip pkt (gso_type = 0x0103, which means SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso did because it supports TSO and GSO_IPXIP4. But network_header points to inner ip header. Call Trace: tcp4_gso_segment ------> return NULL inet_gso_segment ------> inner iph, network_header points to ipip_gso_segment inet_gso_segment ------> outer iph skb_mac_gso_segment Afterwards virtio_net transmits the pkt, only inner ip header is modified. And the outer one just keeps unchanged. The pkt will be dropped in remote host. Call Trace: inet_gso_segment ------> inner iph, outer iph is skipped skb_mac_gso_segment __skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------> virtio_net dev_hard_start_xmit __dev_queue_xmit ------> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit ------> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receive receive_buf virtnet_poll net_rx_action The root cause of this issue is specific with the rare combination of SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. SKB_GSO_DODGY is set from external virtio_net. We need to reset network header when callbacks.gso_segment() returns NULL. This patch also includes ipv6_gso_segment(), considering SIT, etc. (en) Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : 5.5 		v2 : unknown
v3 : unknown

22 Aug 2024, 19:03

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea - () https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea - Patch
References () https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e - () https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e - Patch
References () https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7 - () https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7 - Patch
References () https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395 - () https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395 - Patch
References () https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499 - () https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499 - Patch
References () https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819 - () https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819 - Patch
References () https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39 - () https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39 - Patch
References () https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73 - () https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73 - Patch
First Time Linux linux Kernel
Linux
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.5

22 Aug 2024, 12:48

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: gso: no omita el encabezado de IP externo en caso de ipip y net_failover. Nos encontramos con un problema de caída de TCP en nuestro entorno de nube. El paquete GROed en el host se reenvía a una NIC virtio_net de VM con net_failover habilitado. VM actúa como IPVS LB con encapsulación ipip. La ruta completa como: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx Cuando net_failover transmite un paquete ipip (gso_type = 0x0103, que significa SKB_GSO_TCPV4, SKB_GSO_DODGY y SKB_GSO_IPXIP 4 ), no existe gso porque admite TSO y GSO_IPXIP4. Pero network_header apunta al encabezado IP interno. Seguimiento de llamadas: tcp4_gso_segment ------> return NULL inet_gso_segment ------> iph interno, network_header apunta a ipip_gso_segment inet_gso_segment ------> iph externo skb_mac_gso_segment Luego, virtio_net transmite el paquete, solo se muestra el encabezado de IP interno modificado. Y el exterior simplemente se mantiene sin cambios. El paquete se colocará en el host remoto. Seguimiento de llamadas: inet_gso_segment ------> iph interno, se omite el iph externo skb_mac_gso_segment __skb_gso_segment validar_xmit_skb validar_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------> virtio_net dev_hard_start_xmit __dev_queue_xmit --- ---> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit -- ----> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receiveceived_buf virtnet_poll net_rx_action La causa raíz de este problema es específica de la rara combinación de SKB_GSO_DODGY y un dispositivo de túnel que agrega una opción de túnel SKB_GSO_. SKB_GSO_DODGY se configura desde virtio_net externo. Necesitamos restablecer el encabezado de la red cuando callbacks.gso_segment() devuelve NULL. Este parche también incluye ipv6_gso_segment(), considerando SIT, etc.

22 Aug 2024, 04:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-08-22 04:15

Updated : 2024-08-31 06:15

NVD link : CVE-2022-48936

Mitre link : CVE-2022-48936

CVE.ORG link : CVE-2022-48936

JSON object : View

Products Affected

No product.

CWE

No CWE.