Description
In the Linux kernel, the following vulnerability has been resolved: ip6_vti: fix incorrect tunnel matching in vti6_tnl_lookup() In vti6_tnl_lookup(), when an exact match for a tunnel fails, the code falls back to searching for wildcard tunnels: - Tunnels matching the packet's local address, with any remote address wildcard remote). - Tunnels matching the packet's remote address, with any local address (wildcard local). However, vti6 stores all these different types of tunnels in the same hash table (ip6n->tnls_r_l) prone to hash collisions. The bug is that the fallback search loops in vti6_tnl_lookup() were missing checks to ensure that the candidate tunnel actually has a wildcard address.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – c327fa4fca31415431202e063767a7ae342e19c6
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – fc657ac0767c49839b3ef0b08dc0953ca30883f8
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – 47fb3c2b4203556308e64354b3e78f2ce221d646
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – f513f308cc4bdb4530d033431592ffbc29b7fca1
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – 90fd4513315ca07da99cfd8549d3e553a7160f0d
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – 2abfb19bbb81958714ad1d43ebeb65b30394184b
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – 2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d
- Linux / Linuxfbe68ee87522f6eaa10f9076c0a7117e1613f2f7 – a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9
- Linux / Linux3.19 – 3.19
- Linux / Linux0 – 3.19
- Linux / Linux5.10.259 – 5.10.*
- Linux / Linux5.15.210 – 5.15.*
- Linux / Linux6.1.176 – 6.1.*
- Linux / Linux6.6.143 – 6.6.*
- Linux / Linux6.12.94 – 6.12.*
- Linux / Linux6.18.36 – 6.18.*
- Linux / Linux7.0.13 – 7.0.*
- Linux / Linux7.1 – *
References
- MISChttps://git.kernel.org/stable/c/c327fa4fca31415431202e063767a7ae342e19c6
- MISChttps://git.kernel.org/stable/c/fc657ac0767c49839b3ef0b08dc0953ca30883f8
- MISChttps://git.kernel.org/stable/c/47fb3c2b4203556308e64354b3e78f2ce221d646
- MISChttps://git.kernel.org/stable/c/f513f308cc4bdb4530d033431592ffbc29b7fca1
- MISChttps://git.kernel.org/stable/c/90fd4513315ca07da99cfd8549d3e553a7160f0d
- MISChttps://git.kernel.org/stable/c/2abfb19bbb81958714ad1d43ebeb65b30394184b
- MISChttps://git.kernel.org/stable/c/2fc7bc087cc7085368263d9d37bfe9a0bddd6a2d
- MISChttps://git.kernel.org/stable/c/a5c0359f5cbc51a2e2b114d6041e0f3c73f903e9