CVE-2022-49094

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description A slab-out-of-bounds bug has been identified in the Linux kernel, specifically in the decrypt internal function within the net/tls module. The issue arises from a mismatch in memory size allocation for tls ctx->rx.iv when using AES128-CCM, where tls set sw offload() sets the size to 12, but crypto aead ivsize() returns a size of 16 for "ccm(aes)". This discrepancy triggers a slab-out-of-bounds bug when memcpy() attempts to read 16 bytes from a 12-byte memory space. The bug can be traced to the decrypt internal+0x385/0xc40 function in the tls module.

Recommendations To resolve this issue, replace the crypto aead ivsize() call with prot->iv size + prot->salt size when copying the IV value in the TLS 1 3 VERSION scenario. This change should be applied to the decrypt internal function to prevent the slab-out-of-bounds bug. At the moment, there is no information about a newer version that contains a fix for this vulnerability.