{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49094","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T01:49:39.249Z","datePublished":"2025-02-26T01:54:48.163Z","dateUpdated":"2025-05-04T08:29:45.881Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:29:45.881Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet/tls: fix slab-out-of-bounds bug in decrypt_internal\n\nThe memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in\ntls_set_sw_offload(). The return value of crypto_aead_ivsize()\nfor \"ccm(aes)\" is 16. So memcpy() require 16 bytes from 12 bytes\nmemory space will trigger slab-out-of-bounds bug as following:\n\n==================================================================\nBUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls]\nRead of size 16 at addr ffff888114e84e60 by task tls/10911\n\nCall Trace:\n <TASK>\n dump_stack_lvl+0x34/0x44\n print_report.cold+0x5e/0x5db\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_report+0xab/0x120\n ? decrypt_internal+0x385/0xc40 [tls]\n kasan_check_range+0xf9/0x1e0\n memcpy+0x20/0x60\n decrypt_internal+0x385/0xc40 [tls]\n ? tls_get_rec+0x2e0/0x2e0 [tls]\n ? process_rx_list+0x1a5/0x420 [tls]\n ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls]\n decrypt_skb_update+0x9d/0x400 [tls]\n tls_sw_recvmsg+0x3c8/0xb50 [tls]\n\nAllocated by task 10911:\n kasan_save_stack+0x1e/0x40\n __kasan_kmalloc+0x81/0xa0\n tls_set_sw_offload+0x2eb/0xa20 [tls]\n tls_setsockopt+0x68c/0x700 [tls]\n __sys_setsockopt+0xfe/0x1b0\n\nReplace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size\nwhen memcpy() iv value in TLS_1_3_VERSION scenario."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_sw.c"],"versions":[{"version":"f295b3ae9f5927e084bd5decdff82390e3471801","lessThan":"2b7d14c105dd8f6412eda5a91e1e6154653731e3","status":"affected","versionType":"git"},{"version":"f295b3ae9f5927e084bd5decdff82390e3471801","lessThan":"589154d0f18945f41d138a5b4e49e518d294474b","status":"affected","versionType":"git"},{"version":"f295b3ae9f5927e084bd5decdff82390e3471801","lessThan":"6e2f1b033b17dedda51d465861b69e58317d6343","status":"affected","versionType":"git"},{"version":"f295b3ae9f5927e084bd5decdff82390e3471801","lessThan":"29be1816cbab9a0dc6243120939fd10a92753756","status":"affected","versionType":"git"},{"version":"f295b3ae9f5927e084bd5decdff82390e3471801","lessThan":"2304660ab6c425df64d95301b601424c6a50f28b","status":"affected","versionType":"git"},{"version":"f295b3ae9f5927e084bd5decdff82390e3471801","lessThan":"9381fe8c849cfbe50245ac01fc077554f6eaa0e2","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/tls/tls_sw.c"],"versions":[{"version":"5.2","status":"affected"},{"version":"0","lessThan":"5.2","status":"unaffected","versionType":"semver"},{"version":"5.4.189","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.111","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.34","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.16.20","lessThanOrEqual":"5.16.*","status":"unaffected","versionType":"semver"},{"version":"5.17.3","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.4.189"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.10.111"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.15.34"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.16.20"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.17.3"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"5.18"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2b7d14c105dd8f6412eda5a91e1e6154653731e3"},{"url":"https://git.kernel.org/stable/c/589154d0f18945f41d138a5b4e49e518d294474b"},{"url":"https://git.kernel.org/stable/c/6e2f1b033b17dedda51d465861b69e58317d6343"},{"url":"https://git.kernel.org/stable/c/29be1816cbab9a0dc6243120939fd10a92753756"},{"url":"https://git.kernel.org/stable/c/2304660ab6c425df64d95301b601424c6a50f28b"},{"url":"https://git.kernel.org/stable/c/9381fe8c849cfbe50245ac01fc077554f6eaa0e2"}],"title":"net/tls: fix slab-out-of-bounds bug in decrypt_internal","x_generator":{"engine":"bippy-1.2.0"}}}}