{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2022-49340","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2025-02-26T02:08:31.541Z","datePublished":"2025-02-26T02:10:57.322Z","dateUpdated":"2025-05-04T12:44:28.114Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:44:28.114Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nip_gre: test csum_start instead of transport header\n\nGRE with TUNNEL_CSUM will apply local checksum offload on\nCHECKSUM_PARTIAL packets.\n\nipgre_xmit must validate csum_start after an optional skb_pull,\nelse lco_csum may trigger an overflow. The original check was\n\n\tif (csum && skb_checksum_start(skb) < skb->data)\n\t\treturn -EINVAL;\n\nThis had false positives when skb_checksum_start is undefined:\nwhen ip_summed is not CHECKSUM_PARTIAL. A discussed refinement\nwas straightforward\n\n\tif (csum && skb->ip_summed == CHECKSUM_PARTIAL &&\n\t    skb_checksum_start(skb) < skb->data)\n\t\treturn -EINVAL;\n\nBut was eventually revised more thoroughly:\n- restrict the check to the only branch where needed, in an\n  uncommon GRE path that uses header_ops and calls skb_pull.\n- test skb_transport_header, which is set along with csum_start\n  in skb_partial_csum_set in the normal header_ops datapath.\n\nTurns out skbs can arrive in this branch without the transport\nheader set, e.g., through BPF redirection.\n\nRevise the check back to check csum_start directly, and only if\nCHECKSUM_PARTIAL. Do leave the check in the updated location.\nCheck field regardless of whether TUNNEL_CSUM is configured."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/ip_gre.c"],"versions":[{"version":"774430026bd9a472d08c5d3c33351a782315771a","lessThan":"7596bd7920985f7fc8579a92e48bc53ce4475b21","status":"affected","versionType":"git"},{"version":"3d32ce5472bb2ca720bef84089b85f76a705fd1a","lessThan":"3d08bc3a5d9b2106f5c8bcf1adb73147824aa006","status":"affected","versionType":"git"},{"version":"87b34cd6485192777f632f92d592f2a71d8801a6","lessThan":"fbeb8dfa8b87ef259eef0c89e39b53962a3cf604","status":"affected","versionType":"git"},{"version":"8a0ed250f911da31a2aef52101bc707846a800ff","lessThan":"e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58","status":"affected","versionType":"git"},{"version":"8a0ed250f911da31a2aef52101bc707846a800ff","lessThan":"0c92d813c7c9ca2212ecd879232e7d87362fce98","status":"affected","versionType":"git"},{"version":"8a0ed250f911da31a2aef52101bc707846a800ff","lessThan":"0ffa268724656633af5f37a38c212326d98ebe8c","status":"affected","versionType":"git"},{"version":"8a0ed250f911da31a2aef52101bc707846a800ff","lessThan":"8d21e9963bec1aad2280cdd034c8993033ef2948","status":"affected","versionType":"git"},{"version":"4bf5d5224ffca069df4501ba5fcc6ded9c002ead","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["net/ipv4/ip_gre.c"],"versions":[{"version":"5.15","status":"affected"},{"version":"0","lessThan":"5.15","status":"unaffected","versionType":"semver"},{"version":"4.19.247","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.198","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.122","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.47","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"5.17.15","lessThanOrEqual":"5.17.*","status":"unaffected","versionType":"semver"},{"version":"5.18.4","lessThanOrEqual":"5.18.*","status":"unaffected","versionType":"semver"},{"version":"5.19","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.19.207","versionEndExcluding":"4.19.247"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.4.148","versionEndExcluding":"5.4.198"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.68","versionEndExcluding":"5.10.122"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.15.47"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.17.15"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.18.4"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15","versionEndExcluding":"5.19"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.14.7"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21"},{"url":"https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006"},{"url":"https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604"},{"url":"https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58"},{"url":"https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98"},{"url":"https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c"},{"url":"https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948"}],"title":"ip_gre: test csum_start instead of transport header","x_generator":{"engine":"bippy-1.2.0"}}}}