Bug 2214024

Summary: kernel: in net/sched Kernel Flower classifier possible OOB write in fl_set_geneve_opt
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, mleitner, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, swood, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-06-26 10:28:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214025, 2214028, 2214030    
Bug Blocks: 2213076    

Description Alex 2023-06-11 07:43:43 UTC 
A flaw in the Linux Kernel Flower classifier found. If local user creates some specific rules for networking packets classifier and then few malicious packets being received, it can lead to kernel crash and potential privileges escalation.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/net/sched?id=4d56304e5827c8cc8cc18c75343d283af7c4825c
Comment 1 Alex 2023-06-11 07:44:03 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2214025]
Comment 5 Justin M. Forbes 2023-06-12 12:59:42 UTC 
This was fixed for Fedora with the 6.3.7 stable kernel update.
Comment 9 Marcelo Ricardo Leitner 2023-06-23 22:19:57 UTC 
(In reply to Alex from comment #0)
> A flaw in the Linux Kernel Flower classifier found. If local user creates
> some specific rules for networking packets classifier and then few malicious
> packets being received, it can lead to kernel crash and potential privileges
> escalation.

I get the point that the system may be configured in a vulnerable state without the user knowing it, but I wonder how this can lead to privilege escalation in this situation.
Comment 10 Mauro Matteo Cascella 2023-06-26 10:28:10 UTC 

*** This bug has been marked as a duplicate of bug 2215768 ***