Bug 2158198 (CVE-2022-3643)

Summary: CVE-2022-3643 Xen Security Advisory 423 v1: Guests can trigger NIC interface reset/abort/crash via netback
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, bskeggs, chwhite, crwood, ddepaula, debarbos, dfreiber, dhoward, dvlasenk, ezulian, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lleshchi, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rogbas, rvrbovsk, scweaver, steved, tyberry, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A possible reset/abort/crash flaw was found in the Linux kernel’s XEN driver when sending certain kinds of packets. This flaw allows a local user to crash the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-06 10:32:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2158199    
Bug Blocks: 2151870    

Description Alex 2023-01-04 15:37:44 UTC 
Guests can trigger NIC interface reset/abort/crash via netback. It is possible for a guest to trigger a NIC interface reset/abort/crash in a Linux based network backend by sending certain kinds of packets. It appears to be an (unwritten?) assumption in the rest of the Linux network stack that packet protocol headers are all contained within the linear section of the SKB and some NICs behave badly if this is not the case. This has been reported to occur with Cisco (enic) and Broadcom NetXtrem II BCM5780 (bnx2x) though it may be an issue with other NICs/drivers as well. In case the frontend is sending requests with split headers, netback will forward those violating above mentioned assumption to the networking core, resulting in said misbehavior.

References:
https://seclists.org/oss-sec/2022/q4/170
https://seclists.org/oss-sec/2022/q4/att-170/xsa423-linux.patch
https://xenbits.xenproject.org/xsa/advisory-423.txt
http://www.openwall.com/lists/oss-security/2022/12/07/2
Comment 1 Alex 2023-01-04 15:38:15 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2158199]
Comment 7 Product Security DevOps Team 2023-01-06 10:32:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3643
Comment 8 Justin M. Forbes 2023-01-18 14:56:00 UTC 
This was fixed for Fedora with the 6.0.13 stable kernel updates.