Message ID | 20230804201225.116222-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-3609 | expand |
On 04.08.23 22:12, Yuxuan Luo wrote: > This v2 patch corrects the patch for Focal and Jammy as Lunar's patch > cannot be applied cleanly on these kernels. No change made to Lunar's > patch. > > [Impact] > A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 > component can be exploited to achieve local privilege escalation. If > tcf_change_indev() fails, u32_set_parms() will immediately return an > error after incrementing or decrementing the reference counter in > tcf_bind_filter(). If an attacker can control the reference counter and > set it to zero, they can cause the reference to be freed, leading to a > use-after-free vulnerability. > > [Backport] > Clean cherry pick. > > [Test] > Smoke tested via adding an u32 filter to a dummy device using `tc`. > > [Potential Regression] > Expect very low regression. > > Lee Jones (1): > net/sched: cls_u32: Fix reference counter leak leading to overflow > > net/sched/cls_u32.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > Lunar is already applied from the previous submission. Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 04/08/2023 22:12, Yuxuan Luo wrote: > This v2 patch corrects the patch for Focal and Jammy as Lunar's patch > cannot be applied cleanly on these kernels. No change made to Lunar's > patch. > > [Impact] > A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 > component can be exploited to achieve local privilege escalation. If > tcf_change_indev() fails, u32_set_parms() will immediately return an > error after incrementing or decrementing the reference counter in > tcf_bind_filter(). If an attacker can control the reference counter and > set it to zero, they can cause the reference to be freed, leading to a > use-after-free vulnerability. > > [Backport] > Clean cherry pick. > > [Test] > Smoke tested via adding an u32 filter to a dummy device using `tc`. > > [Potential Regression] > Expect very low regression. > > Lee Jones (1): > net/sched: cls_u32: Fix reference counter leak leading to overflow > > net/sched/cls_u32.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 04.08.23 22:12, Yuxuan Luo wrote: > This v2 patch corrects the patch for Focal and Jammy as Lunar's patch > cannot be applied cleanly on these kernels. No change made to Lunar's > patch. > > [Impact] > A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 > component can be exploited to achieve local privilege escalation. If > tcf_change_indev() fails, u32_set_parms() will immediately return an > error after incrementing or decrementing the reference counter in > tcf_bind_filter(). If an attacker can control the reference counter and > set it to zero, they can cause the reference to be freed, leading to a > use-after-free vulnerability. > > [Backport] > Clean cherry pick. > > [Test] > Smoke tested via adding an u32 filter to a dummy device using `tc`. > > [Potential Regression] > Expect very low regression. > > Lee Jones (1): > net/sched: cls_u32: Fix reference counter leak leading to overflow > > net/sched/cls_u32.c | 18 ++++++++++-------- > 1 file changed, 10 insertions(+), 8 deletions(-) > Applied to jammy,focal:linux/master-next. Already applied to Lunar. Thanks. -Stefan