Bug 2084479 (CVE-2022-2639) - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()
Summary: CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds w...
Keywords:
Status: NEW
Alias: CVE-2022-2639
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2096537 2137357 2141614 2141617 2141618 2141620 2141655 2141658 2141660 2141662 2141663 2141775 2141777 2141778 2141779 2141780 2141786 2141787 2141788 2141789 2020288 2082023 2082155 2114971 2114972 2114973 2114974 2131758 2141615 2141616 2141619 2141621 2141622 2141656 2141659 2141661 2141664 2141665 2141776
Blocks: 2084481
TreeView+ depends on / blocked
 
Reported: 2022-05-12 08:43 UTC by TEJ RATHI
Modified: 2022-12-02 19:25 UTC (History)
58 users (show)

Fixed In Version: kernel 5.18
Doc Type: If docs needed, set a value
Doc Text:
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7444 0 None None None 2022-11-08 09:10:14 UTC
Red Hat Product Errata RHSA-2022:7683 0 None None None 2022-11-08 10:09:44 UTC
Red Hat Product Errata RHSA-2022:7933 0 None None None 2022-11-15 09:45:10 UTC
Red Hat Product Errata RHSA-2022:8267 0 None None None 2022-11-15 10:48:06 UTC
Red Hat Product Errata RHSA-2022:8765 0 None None None 2022-12-02 19:16:29 UTC
Red Hat Product Errata RHSA-2022:8767 0 None None None 2022-12-02 19:25:36 UTC
Red Hat Product Errata RHSA-2022:8768 0 None None None 2022-12-02 19:25:09 UTC

Description TEJ RATHI 2022-05-12 08:43:51 UTC
An OOB access flaw was discovered in reserve_sfa_size(). Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, if next_offset is greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE bytes increasing actions_len by req_size. This can then lead to an OOB write access, especially when further actions need to be copied.

Commit:
https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8

Comment 19 errata-xmlrpc 2022-11-08 09:10:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444

Comment 20 errata-xmlrpc 2022-11-08 10:09:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683

Comment 39 errata-xmlrpc 2022-11-15 09:45:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933

Comment 40 errata-xmlrpc 2022-11-15 10:48:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267

Comment 44 clarkleblanc 2022-11-22 09:40:31 UTC
(In reply to errata-xmlrpc from comment #40)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 9
> 
> Via RHSA-2022:8267 https://lolbeans.online /errata/RHSA-2022:8267

The product has been resolved very well.

Comment 48 errata-xmlrpc 2022-12-02 19:16:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8765 https://access.redhat.com/errata/RHSA-2022:8765

Comment 49 errata-xmlrpc 2022-12-02 19:25:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8768 https://access.redhat.com/errata/RHSA-2022:8768

Comment 50 errata-xmlrpc 2022-12-02 19:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8767 https://access.redhat.com/errata/RHSA-2022:8767


Note You need to log in before you can comment on or make changes to this bug.