mbox series

[SRU,Jammy-OEM-5.17/OEM-6.0,0/1] CVE-2023-3609

Message ID 20230803190029.53725-1-yuxuan.luo@canonical.com
Headers show
Series CVE-2023-3609 | expand

Message

Yuxuan Luo Aug. 3, 2023, 7 p.m. UTC 
[Impact]
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32
component can be exploited to achieve local privilege escalation. If
tcf_change_indev() fails, u32_set_parms() will immediately return an
error after incrementing or decrementing the reference counter in
tcf_bind_filter(). If an attacker can control the reference counter and
set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability.

[Backport]
Clean cherry pick.

[Test]
Smoke tested via adding an u32 filter to a dummy device using `tc`.

[Potential Regression]
Expect very low regression.

Lee Jones (1):
  net/sched: cls_u32: Fix reference counter leak leading to overflow

 net/sched/cls_u32.c | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

Comments

Timo Aaltonen Aug. 4, 2023, 11:32 a.m. UTC | #1 
Yuxuan Luo kirjoitti 3.8.2023 klo 22.00:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32
> component can be exploited to achieve local privilege escalation. If
> tcf_change_indev() fails, u32_set_parms() will immediately return an
> error after incrementing or decrementing the reference counter in
> tcf_bind_filter(). If an attacker can control the reference counter and
> set it to zero, they can cause the reference to be freed, leading to a
> use-after-free vulnerability.
> 
> [Backport]
> Clean cherry pick.
> 
> [Test]
> Smoke tested via adding an u32 filter to a dummy device using `tc`.
> 
> [Potential Regression]
> Expect very low regression.
> 
> Lee Jones (1):
>    net/sched: cls_u32: Fix reference counter leak leading to overflow
> 
>   net/sched/cls_u32.c | 18 ++++++++++--------
>   1 file changed, 10 insertions(+), 8 deletions(-)
> 

applied, thanks