Bug 2056830 (CVE-2022-25636)

Summary: CVE-2022-25636 kernel: heap out of bounds write in nf_dup_netdev.c
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, alex.iribarren, asavkov, berend.de.schouwer, bhu, brdeoliv, bskeggs, chwhite, crwood, ctoe, dhoward, dvlasenk, fhrbata, fpacheco, gerald.prock, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, jwyatt, kcarcia, kent, kernel-maint, kernel-mgr, kpatch-maint, lgoncalv, linville, lzampier, masami256, mchehab, michal.skrivanek, mperina, nmurray, pdwyer, ptalbert, qzhao, rauferna, rhandlin, rkeshri, rvrbovsk, sbonazzo, scweaver, steved, tsorense, vkumar, walters, williams, ycote, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds (OOB) memory access flaw was found in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c in the netfilter subcomponent in the Linux kernel due to a heap out-of-bounds write problem. This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-03 17:13:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2056728, 2056863, 2056864, 2056865, 2056866, 2056867, 2056868, 2056869, 2056870, 2056874, 2056875, 2056879, 2056880, 2056881, 2058737, 2065576, 2068028, 2068029    
Bug Blocks: 2056832    

Description Avinash Hanwate 2022-02-22 07:11:40 UTC 
An out-of-bounds (OOB) memory access flaw was found in nft_fwd_dup_netdev_offload in net/netfilter/nf_dup_netdev.c in netfilter subcomponent in the Linux kernel due to a heap out of bounds write problem. In this flaw, an attacker with a user account on the system to gain access to out-of-bounds memory leads to a system crash or a privilege escalation threat.

Reference:

https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6
https://www.openwall.com/lists/oss-security/2022/02/21/2
Comment 1 Marian Rehak 2022-02-22 08:08:15 UTC 
Reference:

https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=b1a5983f56e371046dcf164f90bfaf704d2b89f6
https://www.openwall.com/lists/oss-security/2022/02/21/2
Comment 5 Rohit Keshri 2022-02-22 09:02:23 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2056863]
Comment 12 Justin M. Forbes 2022-03-16 15:19:19 UTC 
This was fixed for Fedora with the 5.16.12 stable kernel updates.
Comment 15 Tom Sorensen 2022-03-17 14:02:07 UTC 
Does it matter if netfilter is in use (e.g. -- firewall enabled or disabled)? I cannot find any definitive answer from the mailing list or elsewhere.
Comment 16 Sandro Bonazzola 2022-03-18 08:58:29 UTC 
Created kernel tracking bugs for this issue:

Affects: ovirt-4.4 [ bug 2065576 ]
Comment 21 errata-xmlrpc 2022-04-19 15:05:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1413 https://access.redhat.com/errata/RHSA-2022:1413
Comment 22 errata-xmlrpc 2022-04-19 16:19:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1418 https://access.redhat.com/errata/RHSA-2022:1418
Comment 23 errata-xmlrpc 2022-04-20 16:20:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:1455 https://access.redhat.com/errata/RHSA-2022:1455
Comment 24 errata-xmlrpc 2022-04-26 16:45:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1535 https://access.redhat.com/errata/RHSA-2022:1535
Comment 25 errata-xmlrpc 2022-04-26 17:10:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1555 https://access.redhat.com/errata/RHSA-2022:1555
Comment 26 errata-xmlrpc 2022-04-26 21:49:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1550 https://access.redhat.com/errata/RHSA-2022:1550
Comment 27 errata-xmlrpc 2022-06-03 13:48:28 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:4896 https://access.redhat.com/errata/RHSA-2022:4896
Comment 28 Product Security DevOps Team 2022-06-03 17:13:47 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-25636