[SRU,F/J/L,0/1] CVE-2023-39193

Message ID	20231026141524.257138-1-magali.lemes@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Magali Lemes <magali.lemes@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J/L][PATCH 0/1] CVE-2023-39193 Date: Thu, 26 Oct 2023 11:15:23 -0300 Message-Id: <20231026141524.257138-1-magali.lemes@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-39193 \| expand [SRU,F/J/L,0/1] CVE-2023-39193 [SRU,F/J/L,1/1] netfilter: xt_sctp: validate the flag_info count

Message ID

20231026141524.257138-1-magali.lemes@canonical.com

Headers

From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F/J/L][PATCH 0/1] CVE-2023-39193
Date: Thu, 26 Oct 2023 11:15:23 -0300
Message-Id: <20231026141524.257138-1-magali.lemes@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-39193 | expand

Message

Magali Lemes Oct. 26, 2023, 2:15 p.m. UTC

[Impact]
A flaw was found in the Netfilter subsystem in the Linux kernel. The
sctp_mt_check did not validate the flag_count field. This flaw allows a local
privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading
to a crash or information disclosure.

[Backport]
Clean cherry-pick.

[Test]
Compile, boot and smoke tested on a VM:
```
(vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG
(vm) $ ncat --sctp -l -p 12345

(host) $ echo "testing" | ncat --sctp $VM_IP 12345

(vm) $ sudo dmesg | tail # here we expect to see some logs
```

[Regression potential]
Limited to the sctp packet matching module.

Wander Lairson Costa (1):
  netfilter: xt_sctp: validate the flag_info count

 net/netfilter/xt_sctp.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Stefan Bader Oct. 27, 2023, 9:02 a.m. UTC | #1

On 26.10.23 16:15, Magali Lemes wrote:
> [Impact]
> A flaw was found in the Netfilter subsystem in the Linux kernel. The
> sctp_mt_check did not validate the flag_count field. This flaw allows a local
> privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading
> to a crash or information disclosure.
> 
> [Backport]
> Clean cherry-pick.
> 
> [Test]
> Compile, boot and smoke tested on a VM:
> ```
> (vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG
> (vm) $ ncat --sctp -l -p 12345
> 
> (host) $ echo "testing" | ncat --sctp $VM_IP 12345
> 
> (vm) $ sudo dmesg | tail # here we expect to see some logs
> ```
> 
> [Regression potential]
> Limited to the sctp packet matching module.
> 
> Wander Lairson Costa (1):
>    netfilter: xt_sctp: validate the flag_info count
> 
>   net/netfilter/xt_sctp.c | 2 ++
>   1 file changed, 2 insertions(+)
> 

Acked-by: Stefan Bader <stefan.bader@canonical.com>

Roxana Nicolescu Oct. 27, 2023, 9:22 a.m. UTC | #2

On 26/10/2023 16:15, Magali Lemes wrote:
> [Impact]
> A flaw was found in the Netfilter subsystem in the Linux kernel. The
> sctp_mt_check did not validate the flag_count field. This flaw allows a local
> privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading
> to a crash or information disclosure.
>
> [Backport]
> Clean cherry-pick.
>
> [Test]
> Compile, boot and smoke tested on a VM:
> ```
> (vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG
> (vm) $ ncat --sctp -l -p 12345
>
> (host) $ echo "testing" | ncat --sctp $VM_IP 12345
>
> (vm) $ sudo dmesg | tail # here we expect to see some logs
> ```
>
> [Regression potential]
> Limited to the sctp packet matching module.
>
> Wander Lairson Costa (1):
>    netfilter: xt_sctp: validate the flag_info count
>
>   net/netfilter/xt_sctp.c | 2 ++
>   1 file changed, 2 insertions(+)
>
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>

Roxana Nicolescu Oct. 27, 2023, 11:55 a.m. UTC | #3

On 26/10/2023 16:15, Magali Lemes wrote:
> [Impact]
> A flaw was found in the Netfilter subsystem in the Linux kernel. The
> sctp_mt_check did not validate the flag_count field. This flaw allows a local
> privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading
> to a crash or information disclosure.
>
> [Backport]
> Clean cherry-pick.
>
> [Test]
> Compile, boot and smoke tested on a VM:
> ```
> (vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG
> (vm) $ ncat --sctp -l -p 12345
>
> (host) $ echo "testing" | ncat --sctp $VM_IP 12345
>
> (vm) $ sudo dmesg | tail # here we expect to see some logs
> ```
>
> [Regression potential]
> Limited to the sctp packet matching module.
>
> Wander Lairson Costa (1):
>    netfilter: xt_sctp: validate the flag_info count
>
>   net/netfilter/xt_sctp.c | 2 ++
>   1 file changed, 2 insertions(+)
>
Applied to f,j,l:master-next. Thanks!

Roxana