{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: af_alg - get rid of alg_memory_allocated\n\nalg_memory_allocated does not seem to be really used.\n\nalg_proto does have a .memory_allocated field, but no\ncorresponding .sysctl_mem.\n\nThis means sk_has_account() returns true, but all sk_prot_mem_limits()\nusers will trigger a NULL dereference [1].\n\nTHis was not a problem until SO_RESERVE_MEM addition.\n\ngeneral protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN\nKASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]\nCPU: 1 PID: 3591 Comm: syz-executor153 Not tainted 5.17.0-rc3-syzkaller-00316-gb81b1829e7e3 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \n sock_setsockopt+0x14a9/0x3a30 net/core/sock.c:1446\n __sys_setsockopt+0x5af/0x980 net/socket.c:2176\n __do_sys_setsockopt net/socket.c:2191 [inline]\n __se_sys_setsockopt net/socket.c:2188 [inline]\n __x64_sys_setsockopt+0xb1/0xc0 net/socket.c:2188\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\nRIP: 0033:0x7fc7440fddc9\nCode: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007ffe98f07968 EFLAGS: 00000246 ORIG_RAX: 0000000000000036\nRAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fc7440fddc9\nRDX: 0000000000000049 RSI: 0000000000000001 RDI: 0000000000000004\nRBP: 0000000000000000 R08: 0000000000000004 R09: 00007ffe98f07990\nR10: 0000000020000000 R11: 0000000000000246 R12: 00007ffe98f0798c\nR13: 00007ffe98f079a0 R14: 00007ffe98f079e0 R15: 0000000000000000\n \nModules linked in:\n---[ end trace 0000000000000000 ]---\nRIP: 0010:sk_prot_mem_limits include/net/sock.h:1523 [inline]\nRIP: 0010:sock_reserve_memory+0x1d7/0x330 net/core/sock.c:1000\nCode: 08 00 74 08 48 89 ef e8 27 20 bb f9 4c 03 7c 24 10 48 8b 6d 00 48 83 c5 08 48 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 48 89 ef e8 fb 1f bb f9 48 8b 6d 00 4c 89 ff 48\nRSP: 0018:ffffc90001f1fb68 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffff88814aabc000 RCX: dffffc0000000000\nRDX: 0000000000000001 RSI: 0000000000000008 RDI: ffffffff90e18120\nRBP: 0000000000000008 R08: dffffc0000000000 R09: fffffbfff21c3025\nR10: fffffbfff21c3025 R11: 0000000000000000 R12: ffffffff8d109840\nR13: 0000000000001002 R14: 0000000000000001 R15: 0000000000000001\nFS: 0000555556e08300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000\nCS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007fc74416f130 CR3: 0000000073d9e000 CR4: 00000000003506e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000" } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "crypto/af_alg.c" ], "versions": [ { "version": "2bb2f5fb21b0", "lessThan": "9d06f489b9e9", "status": "affected", "versionType": "git" }, { "version": "2bb2f5fb21b0", "lessThan": "25206111512d", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "crypto/af_alg.c" ], "versions": [ { "version": "5.16", "status": "affected" }, { "version": "0", "lessThan": "5.16", "status": "unaffected", "versionType": "custom" }, { "version": "5.16.11", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/9d06f489b9e901580159e21fdc29f73df7ed08dc" }, { "url": "https://git.kernel.org/stable/c/25206111512de994dfc914f5b2972a22aa904ef3" } ], "title": "crypto: af_alg - get rid of alg_memory_allocated", "x_generator": { "engine": "bippy-c9c4e1df01b2" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2022-48781", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }