[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-DEBIAN-CVE-2022-48744":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-04T08:53:30.047Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":11,"aliases":12,"duplicate_of":9,"upstream":13,"downstream":16,"duplicates":19,"related":20,"reserved_at":9,"published_at":21,"modified_at":22,"state":9,"summary":23,"references_raw":25,"kevs":32,"epss":9,"epss_history":33,"metrics":34,"affected":41},"DEBIAN-CVE-2022-48744","In the Linux kernel, the following vulnerability has been resolved:  net/mlx5e: Avoid field-overflowing memcpy()  In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields.  Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler.  We were doing:  \t#define ETH_HLEN  14 \t#define VLAN_HLEN  4 \t... \t#define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) \t...         struct mlx5e_tx_wqe      *wqe  = mlx5_wq_cyc_get_wqe(wq, pi); \t...         struct mlx5_wqe_eth_seg  *eseg = &wqe->eth;         struct mlx5_wqe_data_seg *dseg = wqe->data; \t... \tmemcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);  target is wqe->eth.inline_hdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlan_tci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr (8 bytes).  struct mlx5e_tx_wqe {         struct mlx5_wqe_ctrl_seg   ctrl;                 /*     0    16 */         struct mlx5_wqe_eth_seg    eth;                  /*    16    16 */         struct mlx5_wqe_data_seg   data[];               /*    32     0 */          /* size: 32, cachelines: 1, members: 3 */         /* last cacheline: 32 bytes */ };  struct mlx5_wqe_eth_seg {         u8                         swp_outer_l4_offset;  /*     0     1 */         u8                         swp_outer_l3_offset;  /*     1     1 */         u8                         swp_inner_l4_offset;  /*     2     1 */         u8                         swp_inner_l3_offset;  /*     3     1 */         u8                         cs_flags;             /*     4     1 */         u8                         swp_flags;            /*     5     1 */         __be16                     mss;                  /*     6     2 */         __be32                     flow_table_metadata;  /*     8     4 */         union {                 struct {                         __be16     sz;                   /*    12     2 */                         u8         start[2];             /*    14     2 */                 } inline_hdr;                            /*    12     4 */                 struct {                         __be16     type;                 /*    12     2 */                         __be16     vlan_tci;             /*    14     2 */                 } insert;                                /*    12     4 */                 __be32             trailer;              /*    12     4 */         };                                               /*    12     4 */          /* size: 16, cachelines: 1, members: 9 */         /* last cacheline: 16 bytes */ };  struct mlx5_wqe_data_seg {         __be32                     byte_count;           /*     0     4 */         __be32                     lkey;                 /*     4     4 */         __be64                     addr;                 /*     8     8 */          /* size: 16, cachelines: 1, members: 3 */         /* last cacheline: 16 bytes */ };  So, split the memcpy() so the compiler can reason about the buffer sizes.  \"pahole\" shows no size nor member offset changes to struct mlx5e_tx_wqe nor struct mlx5e_umr_wqe. \"objdump -d\" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations).",null,[],[],[],[14],{"_key":15},"CVE-2022-48744",[17],{"_key":18},"DLA-4475-1",[],[],"2024-06-20T12:15:12.700Z","2026-04-28T20:24:54.278176Z",{"cisa_kev":24,"cisa_ransomware":24,"cisa_vendor":9,"epss_severity":9,"epss_score":9,"severity":9,"severity_score":9,"severity_version":9,"severity_source":9,"severity_vector":9,"severity_status":9},false,[26],{"url":27,"sources":28,"tags":30},"https://security-tracker.debian.org/tracker/CVE-2022-48744",[29],"osv_debian",[31],"Advisory",[],[],[35],{"source":29,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":36,"cvss_v4_0":9},{"baseScore":37,"baseSeverity":9,"vectorString":38,"impactScore":39,"exploitabilityScore":40},7.8,"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",9.8,4.6,[42],{"ecosystem":43,"name":44,"vendor":45,"product":44,"cpe_part":9,"purl_type":46,"purl_namespace":45,"purl_name":44,"source":9,"versions":47},"Debian","linux","debian","deb",[48,52,56,59,60],{"version":49,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"all",true,"ecosystem",{"version":53,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":54,"version_end_type":55,"fixed_in":9},"lt5_10_249_1","5.10.249-1","excluding",{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},"lt5_16_7_1","5.16.7-1",{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9},{"version":57,"is_range":50,"range_type":51,"version_start":9,"version_start_type":9,"version_end":58,"version_end_type":55,"fixed_in":9}]