Bug 2114849 (CVE-2022-2588)

Summary: CVE-2022-2588 kernel: a use-after-free in cls_route filter implementation may lead to privilege escalation
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact: Li Shuang <shuali>
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, allarkin, bdettelb, bhu, brdeoliv, bskeggs, chorn, chwhite, crwood, ctoe, dbohanno, ddepaula, debarbos, dhoward, donovan.debeuckelaer, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, lgoncalv, linville, lzampier, masami256, mchehab, mhernon, michal.skrivanek, mperina, mschwabe, mvanderw, nmurray, psampaio, ptalbert, qzhao, rhandlin, rkeshri, rvrbovsk, sbalasub, scweaver, security-response-team, shuali, soutteri, steved, tyberry, vkumar, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 3.10 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in route4_change in the net/sched/cls_route.c filter implementation in the Linux kernel. This flaw allows a local user to crash the system and possibly lead to a local privilege escalation problem.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 06:16:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2116325, 2116326, 2116327, 2116328, 2117014, 2121806, 2121807, 2121808, 2121809, 2121810, 2121811, 2121812, 2121813, 2121814, 2121815, 2121816, 2121817, 2121818, 2121819, 2121820, 2122581, 2122582, 2122583, 2122584, 2122585, 2122586, 2124536, 2125517, 2183526, 2183564    
Bug Blocks: 1993988, 2114850    

Description Marian Rehak 2022-08-03 11:50:01 UTC 
It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old filter from the hashtable before freeing it if its handle had the value 0, this could be exploited for Local Privilege Escalation.
Comment 5 Rohit Keshri 2022-08-09 18:19:51 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2117014]
Comment 16 errata-xmlrpc 2022-09-19 11:50:34 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
Comment 17 Alex 2022-10-07 11:55:58 UTC 
*** Bug 2132973 has been marked as a duplicate of this bug. ***
Comment 18 errata-xmlrpc 2022-10-11 12:32:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6872 https://access.redhat.com/errata/RHSA-2022:6872
Comment 19 errata-xmlrpc 2022-10-11 12:38:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:6875 https://access.redhat.com/errata/RHSA-2022:6875
Comment 20 errata-xmlrpc 2022-10-18 07:41:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6978 https://access.redhat.com/errata/RHSA-2022:6978
Comment 21 errata-xmlrpc 2022-10-18 08:08:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6991 https://access.redhat.com/errata/RHSA-2022:6991
Comment 22 errata-xmlrpc 2022-10-18 08:15:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6983 https://access.redhat.com/errata/RHSA-2022:6983
Comment 23 errata-xmlrpc 2022-10-25 08:44:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7110 https://access.redhat.com/errata/RHSA-2022:7110
Comment 24 errata-xmlrpc 2022-10-25 08:56:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7137 https://access.redhat.com/errata/RHSA-2022:7137
Comment 25 errata-xmlrpc 2022-10-25 08:58:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7134 https://access.redhat.com/errata/RHSA-2022:7134
Comment 26 errata-xmlrpc 2022-10-25 10:33:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:7146 https://access.redhat.com/errata/RHSA-2022:7146
Comment 27 errata-xmlrpc 2022-10-25 13:06:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:7171 https://access.redhat.com/errata/RHSA-2022:7171
Comment 28 errata-xmlrpc 2022-10-25 13:10:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:7173 https://access.redhat.com/errata/RHSA-2022:7173
Comment 29 errata-xmlrpc 2022-11-01 14:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:7279 https://access.redhat.com/errata/RHSA-2022:7279
Comment 30 errata-xmlrpc 2022-11-01 14:18:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2022:7280 https://access.redhat.com/errata/RHSA-2022:7280
Comment 31 errata-xmlrpc 2022-11-02 16:34:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7337 https://access.redhat.com/errata/RHSA-2022:7337
Comment 32 errata-xmlrpc 2022-11-02 16:35:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7338 https://access.redhat.com/errata/RHSA-2022:7338
Comment 33 errata-xmlrpc 2022-11-02 16:38:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:7344 https://access.redhat.com/errata/RHSA-2022:7344
Comment 34 errata-xmlrpc 2022-11-09 09:42:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2022:7885 https://access.redhat.com/errata/RHSA-2022:7885
Comment 35 Product Security DevOps Team 2022-12-04 06:16:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2588
Comment 41 errata-xmlrpc 2023-07-11 07:52:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:4022 https://access.redhat.com/errata/RHSA-2023:4022
Comment 42 errata-xmlrpc 2023-07-11 07:52:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2023:4023 https://access.redhat.com/errata/RHSA-2023:4023