CVE-2022-50231

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 5.10.0.aarch64

Description A read out-of-bounds error was reported in the Linux kernel, specifically in the neon poly1305 blocks function. This issue can be reproduced with a specially crafted code compiled as a kernel module on a system with KASAN enabled. The root cause of the bug lies in the logic of neon poly1305 blocks(), which incorrectly initializes variables s[] and r[] when called with uninitialized values. The error occurs when the function attempts to read 32 bytes from the input, using the first 16 bytes as the key and the next 16 bytes for s[], resulting in a read out-of-bounds. The patch fixes the issue by calling poly1305 init arm64() instead of the incorrect function.

Recommendations To resolve the issue, update the Linux kernel to a version that includes the fix for this vulnerability. Specifically, update to a version later than 5.10.0.aarch64. As a temporary workaround, consider disabling the neon poly1305 blocks function until a patch is available. However, this may have performance implications and should be carefully evaluated before implementation.