[SRU Bionic/Focal/Impish/OEM-5.14/Jammy 0/1] CVE-2022-27666
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Thu Mar 24 11:14:50 UTC 2022
Notice that CVE-2022-0886 is a duplicate of CVE-2022-27666.
An unprivileged user can use ESP packets to write to out-of-bounds memory,
possibly leading to a privilege escalation.
I picked up the SKB_FRAG_PAGE_ORDER macro movement from upstream for 5.13 and
5.14. It was already present on 5.15. For 5.4 and 4.15, I added the macro myself,
as did upstream.
A syzkaller reproducer was tested and shown to be fixed. Except for 4.15,
where the reproducer didn't work.
VHOST and ESP use may be broken by either of the two commits.
Steffen Klassert (1):
esp: Fix possible buffer overflow in ESP transformation
Yunsheng Lin (1):
sock: remove one redundant SKB_FRAG_PAGE_ORDER macro
include/net/esp.h | 2 ++
include/net/sock.h | 1 +
net/ipv4/esp4.c | 5 +++++
net/ipv6/esp6.c | 5 +++++
4 files changed, 13 insertions(+)
More information about the kernel-team