Bug 2211440 (CVE-2023-3022)

Summary: CVE-2023-3022 kernel: IPv6: panic in fib6_rule_suppress when fib6_rule_lookup fails
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, swood, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.2-rc1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the IPv6 module of the Linux kernel. The arg.result was not used consistently in fib6_rule_lookup, sometimes holding rt6_info and other times fib6_info. This was not accounted for in other parts of the code where rt6_info was expected unconditionally, potentially leading to a kernel panic in fib6_rule_suppress.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2006441, 2167604, 2175952, 2211457, 2211461, 2211462, 2211463    
Bug Blocks: 2176407    

Description Alex 2023-05-31 16:21:34 UTC 
A flaw in the Linux Kernel found. If IPV6 being used in the way that some specific networking local rule enabled and both IPV6 being used, then it can lead to Kernel crash with the message "fib6_rule_suppress+0x22". It happens when receiving some networking packet to the local IPV6 address that matches this specific rule.

References:
https://github.com/torvalds/linux/commit/a65120bae4b7
https://bugzilla.redhat.com/show_bug.cgi?id=2175952
https://bugzilla.redhat.com/show_bug.cgi?id=2167604
https://bugzilla.redhat.com/show_bug.cgi?id=2140599#c13
Comment 1 Alex 2023-05-31 17:03:58 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2211457]
Comment 10 Justin M. Forbes 2023-06-05 12:28:50 UTC 
This was fixed for Fedora in the 5.2 stable kernel rebases.
Comment 12 Mauro Matteo Cascella 2023-06-19 09:13:13 UTC 
This issue was fixed upstream in version 5.2-rc1. The kernel packages as shipped in the following Red Hat products were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8.6 Extended Update Support
https://access.redhat.com/errata/RHSA-2023:1130

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2022:1975