{"id":"CVE-2022-49340","summary":"ip_gre: test csum_start instead of transport header","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nip_gre: test csum_start instead of transport header\n\nGRE with TUNNEL_CSUM will apply local checksum offload on\nCHECKSUM_PARTIAL packets.\n\nipgre_xmit must validate csum_start after an optional skb_pull,\nelse lco_csum may trigger an overflow. The original check was\n\n\tif (csum && skb_checksum_start(skb) \u003c skb-\u003edata)\n\t\treturn -EINVAL;\n\nThis had false positives when skb_checksum_start is undefined:\nwhen ip_summed is not CHECKSUM_PARTIAL. A discussed refinement\nwas straightforward\n\n\tif (csum && skb-\u003eip_summed == CHECKSUM_PARTIAL &&\n\t    skb_checksum_start(skb) \u003c skb-\u003edata)\n\t\treturn -EINVAL;\n\nBut was eventually revised more thoroughly:\n- restrict the check to the only branch where needed, in an\n  uncommon GRE path that uses header_ops and calls skb_pull.\n- test skb_transport_header, which is set along with csum_start\n  in skb_partial_csum_set in the normal header_ops datapath.\n\nTurns out skbs can arrive in this branch without the transport\nheader set, e.g., through BPF redirection.\n\nRevise the check back to check csum_start directly, and only if\nCHECKSUM_PARTIAL. Do leave the check in the updated location.\nCheck field regardless of whether TUNNEL_CSUM is configured.","modified":"2026-04-11T12:43:53.825484Z","published":"2025-02-26T02:10:57.322Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49340.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/0c92d813c7c9ca2212ecd879232e7d87362fce98"},{"type":"WEB","url":"https://git.kernel.org/stable/c/0ffa268724656633af5f37a38c212326d98ebe8c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d08bc3a5d9b2106f5c8bcf1adb73147824aa006"},{"type":"WEB","url":"https://git.kernel.org/stable/c/7596bd7920985f7fc8579a92e48bc53ce4475b21"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8d21e9963bec1aad2280cdd034c8993033ef2948"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58"},{"type":"WEB","url":"https://git.kernel.org/stable/c/fbeb8dfa8b87ef259eef0c89e39b53962a3cf604"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49340.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-49340"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"774430026bd9a472d08c5d3c33351a782315771a"},{"fixed":"7596bd7920985f7fc8579a92e48bc53ce4475b21"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"3d32ce5472bb2ca720bef84089b85f76a705fd1a"},{"fixed":"3d08bc3a5d9b2106f5c8bcf1adb73147824aa006"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"87b34cd6485192777f632f92d592f2a71d8801a6"},{"fixed":"fbeb8dfa8b87ef259eef0c89e39b53962a3cf604"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"8a0ed250f911da31a2aef52101bc707846a800ff"},{"fixed":"e6b6f98fc7605c06c0a3baa70f62c534d7b4ce58"},{"fixed":"0c92d813c7c9ca2212ecd879232e7d87362fce98"},{"fixed":"0ffa268724656633af5f37a38c212326d98ebe8c"},{"fixed":"8d21e9963bec1aad2280cdd034c8993033ef2948"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"4bf5d5224ffca069df4501ba5fcc6ded9c002ead"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49340.json"}},{"package":{"name":"Kernel","ecosystem":"Linux"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.19.247"}]},{"type":"ECOSYSTEM","events":[{"introduced":"4.20.0"},{"fixed":"5.4.198"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.5.0"},{"fixed":"5.10.122"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.11.0"},{"fixed":"5.15.47"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.15.0"},{"fixed":"5.17.15"}]},{"type":"ECOSYSTEM","events":[{"introduced":"5.16.0"},{"fixed":"5.18.4"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49340.json"}}],"schema_version":"1.7.5"}