CVE-2022-49066

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2022-49066
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49066.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-49066
Related
Published
2025-02-26T07:00:43Z
Modified
2025-02-26T19:02:48.245465Z
Downstream
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

veth: Ensure eth header is in skb's linear part

After feeding a decapsulated packet to a veth device with actmirred, skbheadlen() may be 0. But vethxmit() calls _devforwardskb(), which expects at least ETHHLEN byte of linear data (as _devforwardskb2() calls ethtypetrans(), which pulls ETH_HLEN bytes unconditionally).

Use pskbmaypull() to ensure veth_xmit() respects this constraint.

kernel BUG at include/linux/skbuff.h:2328! RIP: 0010:ethtypetrans+0xcf/0x140 Call Trace: <IRQ> _devforwardskb2+0xe3/0x160 vethxmit+0x6e/0x250 [veth] devhardstartxmit+0xc7/0x200 _devqueuexmit+0x47f/0x520 ? skbensurewritable+0x85/0xa0 ? skbmplspop+0x98/0x1c0 tcfmirredact+0x442/0x47e [actmirred] tcfactionexec+0x86/0x140 flclassify+0x1d8/0x1e0 [clsflower] ? dmapteclearlevel+0x129/0x1a0 ? dmapteclearlevel+0x129/0x1a0 ? prbfillcurrblock+0x2f/0xc0 ? skbcopybits+0x11a/0x220 _tcfclassify+0x58/0x110 tcfclassifyingress+0x6b/0x140 _netifreceiveskbcore.constprop.0+0x47d/0xfd0 ? _iommudmaunmapswiotlb+0x44/0x90 _netifreceiveskbonecore+0x3d/0xa0 netifreceiveskb+0x116/0x170 beprocessrx+0x22f/0x330 [be2net] bepoll+0x13c/0x370 [be2net] _napipoll+0x2a/0x170 netrxaction+0x22f/0x2f0 _dosoftirq+0xca/0x2a8 _irqexitrcu+0xc1/0xe0 commoninterrupt+0x83/0xa0

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.113-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1
5.10.106-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.17.6-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}