Message ID | 20231026141524.257138-1-magali.lemes@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-39193 | expand |
On 26.10.23 16:15, Magali Lemes wrote: > [Impact] > A flaw was found in the Netfilter subsystem in the Linux kernel. The > sctp_mt_check did not validate the flag_count field. This flaw allows a local > privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading > to a crash or information disclosure. > > [Backport] > Clean cherry-pick. > > [Test] > Compile, boot and smoke tested on a VM: > ``` > (vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG > (vm) $ ncat --sctp -l -p 12345 > > (host) $ echo "testing" | ncat --sctp $VM_IP 12345 > > (vm) $ sudo dmesg | tail # here we expect to see some logs > ``` > > [Regression potential] > Limited to the sctp packet matching module. > > Wander Lairson Costa (1): > netfilter: xt_sctp: validate the flag_info count > > net/netfilter/xt_sctp.c | 2 ++ > 1 file changed, 2 insertions(+) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 26/10/2023 16:15, Magali Lemes wrote: > [Impact] > A flaw was found in the Netfilter subsystem in the Linux kernel. The > sctp_mt_check did not validate the flag_count field. This flaw allows a local > privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading > to a crash or information disclosure. > > [Backport] > Clean cherry-pick. > > [Test] > Compile, boot and smoke tested on a VM: > ``` > (vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG > (vm) $ ncat --sctp -l -p 12345 > > (host) $ echo "testing" | ncat --sctp $VM_IP 12345 > > (vm) $ sudo dmesg | tail # here we expect to see some logs > ``` > > [Regression potential] > Limited to the sctp packet matching module. > > Wander Lairson Costa (1): > netfilter: xt_sctp: validate the flag_info count > > net/netfilter/xt_sctp.c | 2 ++ > 1 file changed, 2 insertions(+) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 26/10/2023 16:15, Magali Lemes wrote: > [Impact] > A flaw was found in the Netfilter subsystem in the Linux kernel. The > sctp_mt_check did not validate the flag_count field. This flaw allows a local > privileged (CAP_NET_ADMIN) attacker to trigger an out-of-bounds read, leading > to a crash or information disclosure. > > [Backport] > Clean cherry-pick. > > [Test] > Compile, boot and smoke tested on a VM: > ``` > (vm) $ sudo iptables -A INPUT -p sctp -m sctp --dport 12345 -j LOG > (vm) $ ncat --sctp -l -p 12345 > > (host) $ echo "testing" | ncat --sctp $VM_IP 12345 > > (vm) $ sudo dmesg | tail # here we expect to see some logs > ``` > > [Regression potential] > Limited to the sctp packet matching module. > > Wander Lairson Costa (1): > netfilter: xt_sctp: validate the flag_info count > > net/netfilter/xt_sctp.c | 2 ++ > 1 file changed, 2 insertions(+) > Applied to f,j,l:master-next. Thanks! Roxana