Bug 2186862 (CVE-2023-2008, ZDI-23-441, ZDI-CAN-17639)

Summary: CVE-2023-2008 kernel: udmabuf: improper validation of array index leading to local privilege escalation
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.19-rc4 Doc Type: ---
Doc Text:
A flaw was found in the Linux kernel's udmabuf device driver, within a fault handler. This issue occurs due to the lack of proper validation of user-supplied data, which can result in memory access past the end of an array. This may allow an attacker to escalate privileges and execute arbitrary code in the context of the kernel.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-06 21:29:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2186863, 2186864, 2186865    
Bug Blocks: 2186277    

Description Mauro Matteo Cascella 2023-04-14 16:41:11 UTC 
A flaw was found in udmabuf. udmabuf is a linux device driver for user space mappable DMA buffer. Quoting ZDI security advisory [1]:

"This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute high-privileged code on the target system in order to exploit this vulnerability.

The specific flaw exists within a fault handler. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an array. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the kernel."

[1] https://www.zerodayinitiative.com/advisories/ZDI-23-441/
Comment 4 Mauro Matteo Cascella 2023-04-14 17:10:38 UTC 
Upstream commit:
https://github.com/torvalds/linux/commit/05b252cccb2e5c3f56119d25de684b4f810ba4
Comment 5 Mauro Matteo Cascella 2023-04-14 17:15:23 UTC 
This issue was fixed upstream in version 5.19. The kernel packages as shipped in Red Hat Enterprise Linux 9 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:8267

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:7933
Comment 6 errata-xmlrpc 2023-06-06 08:45:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3470 https://access.redhat.com/errata/RHSA-2023:3470
Comment 7 errata-xmlrpc 2023-06-06 08:46:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3465 https://access.redhat.com/errata/RHSA-2023:3465
Comment 8 errata-xmlrpc 2023-06-06 13:37:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:3490 https://access.redhat.com/errata/RHSA-2023:3490
Comment 9 Product Security DevOps Team 2023-06-06 21:29:43 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-2008