{ "threat_severity" : "Moderate", "public_date" : "2024-08-22T00:00:00Z", "bugzilla" : { "description" : "kernel: mptcp: Correctly set DATA_FIN timeout when number of retransmits is large", "id" : "2307159", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2307159" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status" : "draft" }, "cwe" : "CWE-119", "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nmptcp: Correctly set DATA_FIN timeout when number of retransmits is large\nSyzkaller with UBSAN uncovered a scenario where a large number of\nDATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN\ntimeout calculation:\n================================================================================\nUBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29\nshift exponent 32 is too large for 32-bit type 'unsigned int'\nCPU: 1 PID: 13059 Comm: kworker/1:0 Not tainted 5.17.0-rc2-00630-g5fbf21c90c60 #1\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014\nWorkqueue: events mptcp_worker\nCall Trace:\n\n__dump_stack lib/dump_stack.c:88 [inline]\ndump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106\nubsan_epilogue+0xb/0x5a lib/ubsan.c:151\n__ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e lib/ubsan.c:330\nmptcp_set_datafin_timeout net/mptcp/protocol.c:470 [inline]\n__mptcp_retrans.cold+0x72/0x77 net/mptcp/protocol.c:2445\nmptcp_worker+0x58a/0xa70 net/mptcp/protocol.c:2528\nprocess_one_work+0x9df/0x16d0 kernel/workqueue.c:2307\nworker_thread+0x95/0xe10 kernel/workqueue.c:2454\nkthread+0x2f4/0x3b0 kernel/kthread.c:377\nret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:295\n\n================================================================================\nThis change limits the maximum timeout by limiting the size of the\nshift, which keeps all intermediate values in-bounds." ], "statement" : "Following issue marked as moderate with \"not affected\" for Red Hat Enterprise Linux, as it is not vulnerable to this CVE. This is because the CVE does not impact the versions or configurations of the Linux kernel used in Red Hat's distributions. Additionally, some RHEL versions may be marked as \"will not fix\" due to the minimal impact of the issue, and no fix will be provided.", "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-48906\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-48906\nhttps://lore.kernel.org/linux-cve-announce/2024082213-CVE-2022-48906-76db@gregkh/T" ], "name" : "CVE-2022-48906", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }