Bug 2224048 (CVE-2023-3812) - CVE-2023-3812 kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags
Summary: CVE-2023-3812 kernel: tun: bugs for oversize packet when napi frags enabled i...
Keywords:
Status: NEW
Alias: CVE-2023-3812
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2224054 2224270 2224271 2224272 2224273 2224275 2224276 2224277 2224278 2224279 2224280 2224281 2224282 2224283 2224284 2224285 2224286 2224287 2224288 2224290 2224291 2224292 2224293 2224294 2224295 2224296
Blocks: 2223202
TreeView+ depends on / blocked
 
Reported: 2023-07-19 16:40 UTC by Alex
Modified: 2024-05-02 16:01 UTC (History)
50 users (show)

Fixed In Version: kernel 6.1-rc4
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0610 0 None None None 2024-01-30 14:48:38 UTC
Red Hat Product Errata RHBA-2024:0611 0 None None None 2024-01-30 14:53:03 UTC
Red Hat Product Errata RHBA-2024:0637 0 None None None 2024-02-01 00:09:03 UTC
Red Hat Product Errata RHBA-2024:0673 0 None None None 2024-02-05 10:13:14 UTC
Red Hat Product Errata RHBA-2024:2680 0 None None None 2024-05-02 16:01:37 UTC
Red Hat Product Errata RHSA-2023:6799 0 None None None 2023-11-08 08:39:55 UTC
Red Hat Product Errata RHSA-2023:6813 0 None None None 2023-11-08 10:57:16 UTC
Red Hat Product Errata RHSA-2023:7370 0 None None None 2023-11-21 11:24:52 UTC
Red Hat Product Errata RHSA-2023:7379 0 None None None 2023-11-21 10:25:08 UTC
Red Hat Product Errata RHSA-2023:7382 0 None None None 2023-11-21 11:15:59 UTC
Red Hat Product Errata RHSA-2023:7389 0 None None None 2023-11-21 11:12:15 UTC
Red Hat Product Errata RHSA-2023:7411 0 None None None 2023-11-21 12:24:29 UTC
Red Hat Product Errata RHSA-2023:7418 0 None None None 2023-11-21 14:48:18 UTC
Red Hat Product Errata RHSA-2023:7548 0 None None None 2023-11-28 15:11:36 UTC
Red Hat Product Errata RHSA-2023:7549 0 None None None 2023-11-28 15:23:49 UTC
Red Hat Product Errata RHSA-2023:7554 0 None None None 2023-11-28 17:53:09 UTC
Red Hat Product Errata RHSA-2024:0340 0 None None None 2024-01-23 09:12:31 UTC
Red Hat Product Errata RHSA-2024:0378 0 None None None 2024-01-23 17:28:14 UTC
Red Hat Product Errata RHSA-2024:0412 0 None None None 2024-01-24 16:44:15 UTC
Red Hat Product Errata RHSA-2024:0461 0 None None None 2024-01-24 16:28:44 UTC
Red Hat Product Errata RHSA-2024:0554 0 None None None 2024-01-30 00:33:48 UTC
Red Hat Product Errata RHSA-2024:0562 0 None None None 2024-01-30 12:27:53 UTC
Red Hat Product Errata RHSA-2024:0563 0 None None None 2024-01-30 12:27:02 UTC
Red Hat Product Errata RHSA-2024:0575 0 None None None 2024-01-30 13:21:58 UTC
Red Hat Product Errata RHSA-2024:0593 0 None None None 2024-01-30 13:10:19 UTC
Red Hat Product Errata RHSA-2024:1961 0 None None None 2024-04-23 00:27:12 UTC
Red Hat Product Errata RHSA-2024:2006 0 None None None 2024-04-23 16:40:00 UTC
Red Hat Product Errata RHSA-2024:2008 0 None None None 2024-04-23 16:28:14 UTC

Description Alex 2023-07-19 16:40:58 UTC 
A flaw in the Linux Kernel found. If napi frags enabled and patch 363a5328f4b0 ("net: tun: fix bugs for oversize packet when napi frags enabled") not applied, then when local user try to send too large IPV6 packet (with big packet length), it can lead to out of bounds memory bug.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=363a5328f4b0
Comment 2 Alex 2023-07-19 16:58:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2224054]
Comment 6 Justin M. Forbes 2023-08-07 21:05:07 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Comment 15 errata-xmlrpc 2023-11-08 08:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:6799 https://access.redhat.com/errata/RHSA-2023:6799
Comment 16 errata-xmlrpc 2023-11-08 10:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:6813 https://access.redhat.com/errata/RHSA-2023:6813
Comment 21 errata-xmlrpc 2023-11-21 10:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7379 https://access.redhat.com/errata/RHSA-2023:7379
Comment 22 errata-xmlrpc 2023-11-21 11:12:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7389 https://access.redhat.com/errata/RHSA-2023:7389
Comment 23 errata-xmlrpc 2023-11-21 11:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7382 https://access.redhat.com/errata/RHSA-2023:7382
Comment 24 errata-xmlrpc 2023-11-21 11:24:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7370 https://access.redhat.com/errata/RHSA-2023:7370
Comment 25 errata-xmlrpc 2023-11-21 12:24:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7411 https://access.redhat.com/errata/RHSA-2023:7411
Comment 26 errata-xmlrpc 2023-11-21 14:48:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7418 https://access.redhat.com/errata/RHSA-2023:7418
Comment 27 errata-xmlrpc 2023-11-28 15:11:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7548 https://access.redhat.com/errata/RHSA-2023:7548
Comment 28 errata-xmlrpc 2023-11-28 15:23:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7549 https://access.redhat.com/errata/RHSA-2023:7549
Comment 29 errata-xmlrpc 2023-11-28 17:53:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7554 https://access.redhat.com/errata/RHSA-2023:7554
Comment 31 errata-xmlrpc 2024-01-23 09:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0340 https://access.redhat.com/errata/RHSA-2024:0340
Comment 32 errata-xmlrpc 2024-01-23 17:28:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0378 https://access.redhat.com/errata/RHSA-2024:0378
Comment 33 errata-xmlrpc 2024-01-24 16:28:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0461 https://access.redhat.com/errata/RHSA-2024:0461
Comment 34 errata-xmlrpc 2024-01-24 16:44:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412
Comment 35 errata-xmlrpc 2024-01-30 00:33:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0554 https://access.redhat.com/errata/RHSA-2024:0554
Comment 36 errata-xmlrpc 2024-01-30 12:26:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563
Comment 37 errata-xmlrpc 2024-01-30 12:27:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562
Comment 38 errata-xmlrpc 2024-01-30 13:10:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0593 https://access.redhat.com/errata/RHSA-2024:0593
Comment 39 errata-xmlrpc 2024-01-30 13:21:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0575 https://access.redhat.com/errata/RHSA-2024:0575
Comment 43 errata-xmlrpc 2024-04-23 00:27:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1961 https://access.redhat.com/errata/RHSA-2024:1961
Comment 44 errata-xmlrpc 2024-04-23 16:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008
Comment 45 errata-xmlrpc 2024-04-23 16:39:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006
Note You need to log in before you can comment on or make changes to this bug.