{"id":"CVE-2022-48651","summary":"ipvlan: Fix out-of-bound bugs caused by unset skb-\u003emac_header","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nipvlan: Fix out-of-bound bugs caused by unset skb-\u003emac_header\n\nIf an AF_PACKET socket is used to send packets through ipvlan and the\ndefault xmit function of the AF_PACKET socket is changed from\ndev_queue_xmit() to packet_direct_xmit() via setsockopt() with the option\nname of PACKET_QDISC_BYPASS, the skb-\u003emac_header may not be reset and\nremains as the initial value of 65535, this may trigger slab-out-of-bounds\nbugs as following:\n\n=================================================================\nUG: KASAN: slab-out-of-bounds in ipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nPU: 2 PID: 1768 Comm: raw_send Kdump: loaded Not tainted 6.0.0-rc4+ #6\nardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33\nall Trace:\nprint_address_description.constprop.0+0x1d/0x160\nprint_report.cold+0x4f/0x112\nkasan_report+0xa3/0x130\nipvlan_xmit_mode_l2+0xdb/0x330 [ipvlan]\nipvlan_start_xmit+0x29/0xa0 [ipvlan]\n__dev_direct_xmit+0x2e2/0x380\npacket_direct_xmit+0x22/0x60\npacket_snd+0x7c9/0xc40\nsock_sendmsg+0x9a/0xa0\n__sys_sendto+0x18a/0x230\n__x64_sys_sendto+0x74/0x90\ndo_syscall_64+0x3b/0x90\nentry_SYSCALL_64_after_hwframe+0x63/0xcd\n\nThe root cause is:\n  1. packet_snd() only reset skb-\u003emac_header when sock-\u003etype is SOCK_RAW\n     and skb-\u003eprotocol is not specified as in packet_parse_headers()\n\n  2. packet_direct_xmit() doesn't reset skb-\u003emac_header as dev_queue_xmit()\n\nIn this case, skb-\u003emac_header is 65535 when ipvlan_xmit_mode_l2() is\ncalled. So when ipvlan_xmit_mode_l2() gets mac header with eth_hdr() which\nuse \"skb-\u003ehead + skb-\u003emac_header\", out-of-bound access occurs.\n\nThis patch replaces eth_hdr() with skb_eth_hdr() in ipvlan_xmit_mode_l2()\nand reset mac header in multicast to solve this out-of-bound bug.","modified":"2026-04-02T08:26:47.564180Z","published":"2024-04-28T13:00:42.929Z","related":["SUSE-SU-2024:1641-1","SUSE-SU-2024:1642-1","SUSE-SU-2024:1643-1","SUSE-SU-2024:1644-1","SUSE-SU-2024:1645-1","SUSE-SU-2024:1646-1","SUSE-SU-2024:1647-1","SUSE-SU-2024:1650-1","SUSE-SU-2024:1659-1","SUSE-SU-2024:1663-1","SUSE-SU-2024:1677-1","SUSE-SU-2024:1679-1","SUSE-SU-2024:1680-1","SUSE-SU-2024:1682-1","SUSE-SU-2024:1683-1","SUSE-SU-2024:1685-1","SUSE-SU-2024:1686-1","SUSE-SU-2024:1692-1","SUSE-SU-2024:1694-1","SUSE-SU-2024:1695-1","SUSE-SU-2024:1696-1","SUSE-SU-2024:1705-1","SUSE-SU-2024:1706-1","SUSE-SU-2024:1707-1","SUSE-SU-2024:1708-1","SUSE-SU-2024:1709-1","SUSE-SU-2024:1711-1","SUSE-SU-2024:1712-1","SUSE-SU-2024:1713-1","SUSE-SU-2024:1719-1","SUSE-SU-2024:1720-1","SUSE-SU-2024:1723-1","SUSE-SU-2024:1726-1","SUSE-SU-2024:1729-1","SUSE-SU-2024:1730-1","SUSE-SU-2024:1731-1","SUSE-SU-2024:1732-1","SUSE-SU-2024:1735-1","SUSE-SU-2024:1736-1","SUSE-SU-2024:1738-1","SUSE-SU-2024:1739-1","SUSE-SU-2024:1740-1","SUSE-SU-2024:1742-1","SUSE-SU-2024:1746-1","SUSE-SU-2024:1748-1","SUSE-SU-2024:1749-1","SUSE-SU-2024:1750-1","SUSE-SU-2024:1751-1","SUSE-SU-2024:1753-1","SUSE-SU-2024:1757-1","SUSE-SU-2024:1759-1","SUSE-SU-2024:1760-1","SUSE-SU-2024:1870-1","SUSE-SU-2024:2092-1","SUSE-SU-2024:2100-1","SUSE-SU-2024:2101-1","SUSE-SU-2024:2120-1","SUSE-SU-2024:2121-1","SUSE-SU-2024:2130-1","SUSE-SU-2024:2139-1","SUSE-SU-2024:2148-1","SUSE-SU-2024:2162-1","SUSE-SU-2024:2163-1","SUSE-SU-2024:2191-1","SUSE-SU-2024:2207-1","SUSE-SU-2024:2208-1","SUSE-SU-2024:2209-1","SUSE-SU-2024:2335-1","SUSE-SU-2024:2337-1","SUSE-SU-2024:2343-1","SUSE-SU-2024:2344-1","SUSE-SU-2024:2357-1","SUSE-SU-2024:2373-1","SUSE-SU-2024:2382-1","SUSE-SU-2024:2446-1","SUSE-SU-2024:2447-1","SUSE-SU-2024:2448-1","SUSE-SU-2024:2472-1","SUSE-SU-2024:2473-1","SUSE-SU-2024:2558-1","SUSE-SU-2024:2722-1","SUSE-SU-2024:2725-1","SUSE-SU-2024:2740-1","SUSE-SU-2024:2751-1","SUSE-SU-2024:2755-1","SUSE-SU-2024:2758-1","SUSE-SU-2024:2773-1","SUSE-SU-2024:2821-1","SUSE-SU-2024:2824-1","SUSE-SU-2024:2825-1","SUSE-SU-2024:2840-1","SUSE-SU-2024:2843-1","SUSE-SU-2024:2850-1","SUSE-SU-2024:2851-1","SUSE-SU-2024:3034-1","SUSE-SU-2024:3037-1","SUSE-SU-2024:3043-1","SUSE-SU-2024:3044-1","SUSE-SU-2024:3048-1","SUSE-SU-2024:3318-1","SUSE-SU-2024:3336-1","SUSE-SU-2024:3347-1","SUSE-SU-2024:3348-1","SUSE-SU-2024:3368-1","SUSE-SU-2024:3375-1","SUSE-SU-2024:3379-1","SUSE-SU-2024:3399-1","SUSE-SU-2024:3623-1","SUSE-SU-2024:3631-1","SUSE-SU-2024:3639-1","SUSE-SU-2024:3642-1","SUSE-SU-2024:3649-1","SUSE-SU-2024:3651-1","SUSE-SU-2024:3652-1","SUSE-SU-2024:3662-1","SUSE-SU-2024:3679-1","SUSE-SU-2024:3694-1","SUSE-SU-2024:3695-1","SUSE-SU-2024:3696-1","SUSE-SU-2024:3697-1","SUSE-SU-2024:3793-1","SUSE-SU-2024:3796-1","SUSE-SU-2024:3798-1","SUSE-SU-2024:3803-1","SUSE-SU-2024:3814-1","SUSE-SU-2024:3815-1","SUSE-SU-2024:3820-1","SUSE-SU-2024:3829-1","SUSE-SU-2024:3830-1","SUSE-SU-2024:3837-1","SUSE-SU-2024:3842-1","SUSE-SU-2024:3851-1","SUSE-SU-2024:3852-1","SUSE-SU-2024:3855-1","SUSE-SU-2024:4122-1","SUSE-SU-2024:4123-1","SUSE-SU-2024:4124-1","SUSE-SU-2024:4214-1","SUSE-SU-2024:4216-1","SUSE-SU-2024:4218-1","SUSE-SU-2024:4226-1","SUSE-SU-2024:4234-1","SUSE-SU-2024:4235-1","SUSE-SU-2024:4242-1","SUSE-SU-2024:4256-1","SUSE-SU-2024:4263-1","SUSE-SU-2024:4264-1","SUSE-SU-2024:4266-1","SUSE-SU-2025:0101-1","SUSE-SU-2025:0103-1","SUSE-SU-2025:0106-1","SUSE-SU-2025:0107-1","SUSE-SU-2025:0109-1","SUSE-SU-2025:0114-1","SUSE-SU-2025:0115-1","SUSE-SU-2025:0150-1","SUSE-SU-2025:0158-1","SUSE-SU-2025:0240-1","SUSE-SU-2025:0244-1","SUSE-SU-2025:0248-1","SUSE-SU-2025:0251-1","SUSE-SU-2025:0252-1","SUSE-SU-2025:0253-1","SUSE-SU-2025:0261-1","SUSE-SU-2025:0266-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48651.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/25efdbe5fe542c3063d1948cc4e98abcb57621ca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/346e94aa4a99378592c46d6a34c72703a32bd5be"},{"type":"WEB","url":"https://git.kernel.org/stable/c/81225b2ea161af48e093f58e8dfee6d705b16af4"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8d06006c7eb75587d986da46c48ba9274f94e8e7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ab4a733874ead120691e8038272d22f8444d3638"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b583e6b25bf9321c91154f6c78d2173ef12c4241"},{"type":"WEB","url":"https://git.kernel.org/stable/c/bffcdade259c05ab3436b5fab711612093c275ef"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e2b46cd5796f083e452fbc624f65b80328b0c1a4"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/48xxx/CVE-2022-48651.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-48651"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"2ad7bf3638411cb547f2823df08166c13ab04269"},{"fixed":"e2b46cd5796f083e452fbc624f65b80328b0c1a4"},{"fixed":"25efdbe5fe542c3063d1948cc4e98abcb57621ca"},{"fixed":"bffcdade259c05ab3436b5fab711612093c275ef"},{"fixed":"346e94aa4a99378592c46d6a34c72703a32bd5be"},{"fixed":"ab4a733874ead120691e8038272d22f8444d3638"},{"fixed":"8d06006c7eb75587d986da46c48ba9274f94e8e7"},{"fixed":"b583e6b25bf9321c91154f6c78d2173ef12c4241"},{"fixed":"81225b2ea161af48e093f58e8dfee6d705b16af4"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48651.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"}]}