296,172
Total vulnerabilities in the database
In the Linux kernel, the following vulnerability has been resolved:
vlan: enforce underlying device type
Currently, VLAN devices can be created on top of non-ethernet devices.
Besides the fact that it doesn't make much sense, this also causes a bug which leaks the address of a kernel function to usermode.
When creating a VLAN device, we initialize GARP (garp_init_applicant) and MRP (mrp_init_applicant) for the underlying device.
As part of the initialization process, we add the multicast address of each applicant to the underlying device, by calling dev_mc_add.
__dev_mc_add uses dev->addr_len to determine the length of the new multicast address.
This causes an out-of-bounds read if dev->addr_len is greater than 6, since the multicast addresses provided by GARP and MRP are only 6 bytes long.
This behaviour can be reproduced using the following commands:
ip tunnel add gretest mode ip6gre local ::1 remote ::2 dev lo ip l set up dev gretest ip link add link gretest name vlantest type vlan id 100
Then, the following command will display the address of garp_pdu_rcv:
ip maddr show | grep 01:80:c2:00:00:21
Fix the bug by enforcing the type of the underlying device during VLAN device initialization.
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | 6.14-rc1 | 6.14-rc1.x |
| linux / linux_kernel | 6.14-rc2 | 6.14-rc2.x |
| linux / linux_kernel | 6.14-rc3 | 6.14-rc3.x |
| linux / linux_kernel | 5.11 | 5.15.179 |
| linux / linux_kernel | 5.5 | 5.10.235 |
| linux / linux_kernel | 5.16 | 6.1.131 |
| linux / linux_kernel | 2.6.35 | 5.4.291 |
| linux / linux_kernel | 6.2 | 6.6.83 |
| linux / linux_kernel | 6.7 | 6.12.19 |
| linux / linux_kernel | 6.13 | 6.13.7 |
| linux / linux_kernel | 6.14-rc4 | 6.14-rc4.x |
| linux / linux_kernel | 6.14-rc5 | 6.14-rc5.x |