CVE-2022-49094
Published: 26 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: net/tls: fix slab-out-of-bounds bug in decrypt_internal The memory size of tls_ctx->rx.iv for AES128-CCM is 12 setting in tls_set_sw_offload(). The return value of crypto_aead_ivsize() for "ccm(aes)" is 16. So memcpy() require 16 bytes from 12 bytes memory space will trigger slab-out-of-bounds bug as following: ================================================================== BUG: KASAN: slab-out-of-bounds in decrypt_internal+0x385/0xc40 [tls] Read of size 16 at addr ffff888114e84e60 by task tls/10911 Call Trace: <TASK> dump_stack_lvl+0x34/0x44 print_report.cold+0x5e/0x5db ? decrypt_internal+0x385/0xc40 [tls] kasan_report+0xab/0x120 ? decrypt_internal+0x385/0xc40 [tls] kasan_check_range+0xf9/0x1e0 memcpy+0x20/0x60 decrypt_internal+0x385/0xc40 [tls] ? tls_get_rec+0x2e0/0x2e0 [tls] ? process_rx_list+0x1a5/0x420 [tls] ? tls_setup_from_iter.constprop.0+0x2e0/0x2e0 [tls] decrypt_skb_update+0x9d/0x400 [tls] tls_sw_recvmsg+0x3c8/0xb50 [tls] Allocated by task 10911: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 tls_set_sw_offload+0x2eb/0xa20 [tls] tls_setsockopt+0x68c/0x700 [tls] __sys_setsockopt+0xfe/0x1b0 Replace the crypto_aead_ivsize() with prot->iv_size + prot->salt_size when memcpy() iv value in TLS_1_3_VERSION scenario.
Security Summary
CVE-2022-49094 is a slab-out-of-bounds read vulnerability in the Linux kernel's TLS implementation, specifically in the net/tls decrypt_internal function. The issue arises during TLS 1.3 software offload with AES128-CCM, where tls_ctx->rx.iv is allocated 12 bytes in tls_set_sw_offload, but crypto_aead_ivsize for "ccm(aes)" returns 16 bytes. This leads to a memcpy operation reading 16 bytes from a 12-byte buffer, triggering a KASAN-detected out-of-bounds access, as evidenced by the kernel BUG report in the call trace involving decrypt_internal, decrypt_skb_update, and tls_sw_recvmsg.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high confidentiality impact (C:H) through potential information disclosure from the out-of-bounds read and high availability impact (A:H) via kernel crashes or instability, while maintaining unchanged scope (S:U). The CVSS v3.1 base score is 7.1, corresponding to CWE-125 (Out-of-Bounds Read).
Mitigation requires applying upstream kernel patches from the provided stable commit references, such as 2304660ab6c425df64d95301b601424c6a50f28b and others. These commits replace crypto_aead_ivsize() with prot->iv_size + prot->salt_size for the IV memcpy in TLS 1.3 scenarios, correcting the size mismatch and preventing the slab-out-of-bounds access. Security practitioners should update affected Linux kernels accordingly.
Details
- CWE(s)