af_netlink: Fix shift out of bounds in group mask calculation
Description
In the Linux kernel, the following vulnerability has been resolved:
af_netlink: Fix shift out of bounds in group mask calculation
When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts.
Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups.
To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/
The way to trigger this issue is e.g. through monitoring the BRVLAN group:
# bridge monitor vlan & # ip link add name br type bridge
Which produces the following citation:
UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type 'int'
Affected products
10- osv-coords8 versionspkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5pkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-default&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-source&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSSpkg:rpm/suse/kernel-syms&distro=SUSE%20Linux%20Enterprise%20Server%20LTSS%20Extended%20Security%2012%20SP5pkg:rpm/suse/kgraft-patch-SLE12-SP5_Update_68&distro=SUSE%20Linux%20Enterprise%20Live%20Patching%2012%20SP5
< 4.12.14-122.258.1+ 7 more
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 4.12.14-122.258.1
- (no CPE)range: < 1-8.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- git.kernel.org/stable/c/0caf6d9922192dd1afa8dc2131abfb4df1443b9fmitre
- git.kernel.org/stable/c/41249fff507387c3323b198d0052faed08b14de4mitre
- git.kernel.org/stable/c/7409ff6393a67ff9838d0ae1bd102fb5f020d07amitre
- git.kernel.org/stable/c/ac5883a8890a11c00b32a19949a25d4afeaa2f5amitre
- git.kernel.org/stable/c/b0898362188e05b2202656058cc32d98fabf3bacmitre
- git.kernel.org/stable/c/e1c5d46f05aa23d740daae5cd3a6472145afac42mitre
- git.kernel.org/stable/c/e23e1e981247feb3c7d0236fe58aceb685f234aemitre
- git.kernel.org/stable/c/e8aaf3134bc5e943048eefe9f2ddaabf41d92b1amitre
- git.kernel.org/stable/c/f75f4abeec4c04b600a15b50c89a481f1e7435eemitre
News mentions
0No linked articles in our index yet.