[SRU Bionic/Focal/Impish/OEM-5.14/Jammy 0/1] CVE-2022-27666

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Thu Mar 24 11:14:50 UTC 2022

Notice that CVE-2022-0886 is a duplicate of CVE-2022-27666.

An unprivileged user can use ESP packets to write to out-of-bounds memory,
possibly leading to a privilege escalation.

I picked up the SKB_FRAG_PAGE_ORDER macro movement from upstream for 5.13 and
5.14. It was already present on 5.15. For 5.4 and 4.15, I added the macro myself,
as did upstream.

[Test case]
A syzkaller reproducer was tested and shown to be fixed. Except for 4.15,
where the reproducer didn't work.

[Potential impact]
VHOST and ESP use may be broken by either of the two commits.

Steffen Klassert (1):
  esp: Fix possible buffer overflow in ESP transformation
Yunsheng Lin (1):
  sock: remove one redundant SKB_FRAG_PAGE_ORDER macro

 include/net/esp.h  | 2 ++
 include/net/sock.h | 1 +
 net/ipv4/esp4.c    | 5 +++++
 net/ipv6/esp6.c    | 5 +++++
 4 files changed, 13 insertions(+)


More information about the kernel-team mailing list