Bug 2152548 (CVE-2022-4378)

Summary: CVE-2022-4378 kernel: stack overflow in do_proc_dointvec and proc_skip_spaces
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, arachman, bhu, chwhite, crwood, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, kyoshida, lgoncalv, lleshchi, lveyde, lzampier, martin.hecht, michal.skrivanek, mperina, nmurray, ptalbert, qzhao, rhandlin, rogbas, rvrbovsk, sbonazzo, scweaver, security-response-team, tyberry, vkumar, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.0.12 Doc Type: If docs needed, set a value
Doc Text:
A stack overflow flaw was found in the Linux kernel's SYSCTL subsystem in how a user changes certain kernel parameters and variables. This flaw allows a local user to crash or potentially escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-07 01:31:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2152564, 2152565, 2152566, 2152567, 2152568, 2152569, 2152570, 2152571, 2152572, 2152573, 2152574, 2152575, 2152576, 2152577, 2152578, 2152579, 2152580, 2152581, 2152582, 2152583, 2152584, 2152589, 2152590, 2152591, 2152592, 2152593, 2152594, 2152595, 2152596, 2152597, 2152598, 2152599, 2152603, 2152604, 2152605, 2152606, 2152607, 2160015    
Bug Blocks: 2151836    

Description Alex 2022-12-12 10:12:48 UTC 
A flaw stack overflow in the Linux Kernel found. If user have access to SYSCTL (dynamically changing certain kernel parameters and variables), then can provide incorrect input to the function do_proc_dointvec leading to system crash or potentially privileges escalation. Known example of such incorrect input by local user for the /proc/sys/net/ipv4/tcp_rmem , but it could be other situations when this function being used.

References:
https://seclists.org/oss-sec/2022/q4/178
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-6.0/proc-proc_skip_spaces-shouldn-t-think-it-is-working-on-c-strings.patch
https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-6.0/proc-avoid-integer-type-confusion-in-get_proc_long.patch
Comment 6 Marian Rehak 2022-12-12 12:38:18 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2152607]
Comment 7 Justin M. Forbes 2022-12-14 15:44:07 UTC 
This was fixed for Fedora with the 6.0.12 stable kernel updates.
Comment 11 errata-xmlrpc 2023-02-21 10:02:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0856 https://access.redhat.com/errata/RHSA-2023:0856
Comment 12 errata-xmlrpc 2023-02-21 10:03:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:0858 https://access.redhat.com/errata/RHSA-2023:0858
Comment 13 errata-xmlrpc 2023-02-28 08:03:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:0944 https://access.redhat.com/errata/RHSA-2023:0944
Comment 14 errata-xmlrpc 2023-02-28 08:03:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2023:0945 https://access.redhat.com/errata/RHSA-2023:0945
Comment 15 errata-xmlrpc 2023-02-28 08:18:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0951 https://access.redhat.com/errata/RHSA-2023:0951
Comment 16 errata-xmlrpc 2023-02-28 09:51:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:0979 https://access.redhat.com/errata/RHSA-2023:0979
Comment 17 errata-xmlrpc 2023-02-28 11:42:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1008 https://access.redhat.com/errata/RHSA-2023:1008
Comment 18 errata-xmlrpc 2023-03-07 09:49:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:1103 https://access.redhat.com/errata/RHSA-2023:1103
Comment 19 errata-xmlrpc 2023-03-07 09:52:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1101 https://access.redhat.com/errata/RHSA-2023:1101
Comment 20 errata-xmlrpc 2023-03-07 09:54:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1091 https://access.redhat.com/errata/RHSA-2023:1091
Comment 21 errata-xmlrpc 2023-03-07 09:54:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:1092 https://access.redhat.com/errata/RHSA-2023:1092
Comment 22 errata-xmlrpc 2023-03-07 13:14:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1110 https://access.redhat.com/errata/RHSA-2023:1110
Comment 23 errata-xmlrpc 2023-03-07 13:16:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:1109 https://access.redhat.com/errata/RHSA-2023:1109
Comment 24 errata-xmlrpc 2023-03-14 13:53:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1202 https://access.redhat.com/errata/RHSA-2023:1202
Comment 25 errata-xmlrpc 2023-03-14 13:54:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1203 https://access.redhat.com/errata/RHSA-2023:1203
Comment 26 errata-xmlrpc 2023-03-14 13:58:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1220 https://access.redhat.com/errata/RHSA-2023:1220
Comment 27 errata-xmlrpc 2023-03-14 13:58:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1221 https://access.redhat.com/errata/RHSA-2023:1221
Comment 28 errata-xmlrpc 2023-03-15 09:49:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2023:1251 https://access.redhat.com/errata/RHSA-2023:1251
Comment 29 errata-xmlrpc 2023-03-23 09:03:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:1435 https://access.redhat.com/errata/RHSA-2023:1435
Comment 32 errata-xmlrpc 2023-04-04 09:05:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1584 https://access.redhat.com/errata/RHSA-2023:1584
Comment 33 errata-xmlrpc 2023-04-04 09:21:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1566 https://access.redhat.com/errata/RHSA-2023:1566
Comment 34 errata-xmlrpc 2023-04-05 14:05:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1659 https://access.redhat.com/errata/RHSA-2023:1659
Comment 35 errata-xmlrpc 2023-04-11 14:10:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:1705 https://access.redhat.com/errata/RHSA-2023:1705
Comment 36 errata-xmlrpc 2023-04-11 14:20:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2023:1706 https://access.redhat.com/errata/RHSA-2023:1706
Comment 37 errata-xmlrpc 2023-04-18 13:54:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2023:1822 https://access.redhat.com/errata/RHSA-2023:1822
Comment 39 errata-xmlrpc 2023-05-31 15:50:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3388 https://access.redhat.com/errata/RHSA-2023:3388
Comment 40 errata-xmlrpc 2023-06-05 08:14:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:3431 https://access.redhat.com/errata/RHSA-2023:3431
Comment 41 errata-xmlrpc 2023-06-06 14:11:48 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2023:3491 https://access.redhat.com/errata/RHSA-2023:3491
Comment 43 Product Security DevOps Team 2023-06-07 01:31:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4378