Bug 2182888 (CVE-2022-42432, ZDI-22-1457, ZDI-CAN-18540)

Summary: CVE-2022-42432 kernel: netfilter: nfnetlink_osf: uninitialized variable information disclosure vulnerability
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lzampier, nmurray, ptalbert, qzhao, ravpatil, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.0-rc7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the nft_osf_eval function in the netfilter subsystem of the Linux kernel. This issue results from the lack of proper initialization of memory prior to accessing it, and could allow a local privileged user to leak stale kernel stack data to userspace.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2061574, 2121393, 2213465, 2213466    
Bug Blocks: 2182889    

Description Pedro Sampaio 2023-03-29 21:19:09 UTC 
nf_osf_find() incorrectly returns true on mismatch, this leads to
copying uninitialized memory area in nft_osf which can be used to leak
stale kernel stack data to userspace.

References:

https://patchwork.ozlabs.org/project/netfilter-devel/patch/20220907082618.1193201-1-pablo@netfilter.org/
Comment 3 Mauro Matteo Cascella 2023-06-06 19:25:08 UTC 
Upstream commit:
https://github.com/torvalds/linux/commit/559c36c5a8d730c49ef805a72b213d3bba155cc8
Comment 6 Mauro Matteo Cascella 2023-06-08 08:31:34 UTC 
This issue was fixed upstream in version 6.0. The kernel packages as shipped in the following Red Hat products were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:8267

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:7933