Bug 2084479 (CVE-2022-2639) - CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds write in reserve_sfa_size()
Summary: CVE-2022-2639 kernel: openvswitch: integer underflow leads to out-of-bounds w...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2639
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020288 2082023 2082155 2096537 2114971 2114972 2114973 2114974 2131758 2137357 2141614 2141615 2141616 2141617 2141618 2141619 2141620 2141621 2141622 2141655 2141656 2141658 2141659 2141660 2141661 2141662 2141663 2141664 2141665 2141775 2141776 2141777 2141778 2141779 2141780 2141786 2141787 2141788 2141789
Blocks: 2084481
TreeView+ depends on / blocked
 
Reported: 2022-05-12 08:43 UTC by TEJ RATHI
Modified: 2024-03-22 08:17 UTC (History)
60 users (show)

Fixed In Version: kernel 5.18
Doc Type: If docs needed, set a value
Doc Text:
An integer coercion error was found in the openvswitch kernel module. Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, the reserve_sfa_size() function does not return -EMSGSIZE as expected, potentially leading to an out-of-bounds write access. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2023-01-12 13:00:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:8922 0 None None None 2022-12-12 14:15:09 UTC
Red Hat Product Errata RHBA-2022:9021 0 None None None 2022-12-14 12:02:52 UTC
Red Hat Product Errata RHSA-2022:7444 0 None None None 2022-11-08 09:10:14 UTC
Red Hat Product Errata RHSA-2022:7683 0 None None None 2022-11-08 10:09:44 UTC
Red Hat Product Errata RHSA-2022:7933 0 None None None 2022-11-15 09:45:10 UTC
Red Hat Product Errata RHSA-2022:8267 0 None None None 2022-11-15 10:48:06 UTC
Red Hat Product Errata RHSA-2022:8765 0 None None None 2022-12-02 19:16:29 UTC
Red Hat Product Errata RHSA-2022:8767 0 None None None 2022-12-02 19:25:36 UTC
Red Hat Product Errata RHSA-2022:8768 0 None None None 2022-12-02 19:25:09 UTC
Red Hat Product Errata RHSA-2022:8809 0 None None None 2022-12-06 09:54:51 UTC
Red Hat Product Errata RHSA-2022:8831 0 None None None 2022-12-06 14:50:16 UTC
Red Hat Product Errata RHSA-2022:8940 0 None None None 2022-12-13 09:34:07 UTC
Red Hat Product Errata RHSA-2022:8941 0 None None None 2022-12-13 09:34:58 UTC
Red Hat Product Errata RHSA-2022:8973 0 None None None 2022-12-13 16:05:30 UTC
Red Hat Product Errata RHSA-2022:8974 0 None None None 2022-12-13 16:06:11 UTC
Red Hat Product Errata RHSA-2022:8989 0 None None None 2022-12-13 15:53:37 UTC
Red Hat Product Errata RHSA-2022:9082 0 None None None 2022-12-15 16:24:35 UTC
Red Hat Product Errata RHSA-2023:0058 0 None None None 2023-01-10 16:20:44 UTC
Red Hat Product Errata RHSA-2023:0059 0 None None None 2023-01-10 16:21:13 UTC

Description TEJ RATHI 2022-05-12 08:43:51 UTC
An OOB access flaw was discovered in reserve_sfa_size(). Given a sufficiently large number of actions, while copying and reserving memory for a new action of a new flow, if next_offset is greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE bytes increasing actions_len by req_size. This can then lead to an OOB write access, especially when further actions need to be copied.

Commit:
https://github.com/torvalds/linux/commit/cefa91b2332d7009bc0be5d951d6cbbf349f90f8

Comment 19 errata-xmlrpc 2022-11-08 09:10:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7444 https://access.redhat.com/errata/RHSA-2022:7444

Comment 20 errata-xmlrpc 2022-11-08 10:09:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683

Comment 39 errata-xmlrpc 2022-11-15 09:45:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:7933 https://access.redhat.com/errata/RHSA-2022:7933

Comment 40 errata-xmlrpc 2022-11-15 10:48:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8267 https://access.redhat.com/errata/RHSA-2022:8267

Comment 44 clarkleblanc 2022-11-22 09:40:31 UTC
(In reply to errata-xmlrpc from comment #40)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 9
> 
> Via RHSA-2022:8267 https://lolbeans.online /errata/RHSA-2022:8267

The product has been resolved very well.

Comment 48 errata-xmlrpc 2022-12-02 19:16:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8765 https://access.redhat.com/errata/RHSA-2022:8765

Comment 49 errata-xmlrpc 2022-12-02 19:25:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8768 https://access.redhat.com/errata/RHSA-2022:8768

Comment 50 errata-xmlrpc 2022-12-02 19:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:8767 https://access.redhat.com/errata/RHSA-2022:8767

Comment 51 errata-xmlrpc 2022-12-06 09:54:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2022:8809 https://access.redhat.com/errata/RHSA-2022:8809

Comment 52 errata-xmlrpc 2022-12-06 14:50:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2022:8831 https://access.redhat.com/errata/RHSA-2022:8831

Comment 54 errata-xmlrpc 2022-12-13 09:34:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8940 https://access.redhat.com/errata/RHSA-2022:8940

Comment 55 errata-xmlrpc 2022-12-13 09:34:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:8941 https://access.redhat.com/errata/RHSA-2022:8941

Comment 56 errata-xmlrpc 2022-12-13 15:53:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2022:8989 https://access.redhat.com/errata/RHSA-2022:8989

Comment 57 errata-xmlrpc 2022-12-13 16:05:25 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8973 https://access.redhat.com/errata/RHSA-2022:8973

Comment 58 errata-xmlrpc 2022-12-13 16:06:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:8974 https://access.redhat.com/errata/RHSA-2022:8974

Comment 59 errata-xmlrpc 2022-12-15 16:24:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2022:9082 https://access.redhat.com/errata/RHSA-2022:9082

Comment 61 errata-xmlrpc 2023-01-10 16:20:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0058 https://access.redhat.com/errata/RHSA-2023:0058

Comment 62 errata-xmlrpc 2023-01-10 16:21:10 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0059 https://access.redhat.com/errata/RHSA-2023:0059

Comment 63 Product Security DevOps Team 2023-01-12 13:00:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2639

Comment 66 harleywatsan 2023-10-02 16:36:00 UTC Comment hidden (spam)
Comment 67 harleywatsan 2023-10-02 16:38:08 UTC Comment hidden (spam)
Comment 68 Red Hat Bugzilla 2024-01-31 04:25:04 UTC
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days

Comment 69 experto 2024-03-22 08:17:26 UTC
Did you notice that  This issue has been addressed in the following products:
 Red Hat Enterprise Linux 8
Via RHSA-2022:7683 https://access.redhat.com/errata/RHSA-2022:7683 
https://terasacucarti-ro.com/
I think you missed that if required anything else you may also ask..


Note You need to log in before you can comment on or make changes to this bug.