Bug 2215768 (CVE-2023-35788)

Summary: CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()
Product: [Other] Security Response Reporter: ybuenos
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jbenc, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, ldoskova, lgoncalv, lleshchi, lzampier, mleitner, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, sdubroca, shuali, swood, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.4-rc5 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the TC flower classifier (cls_flower) in the Networking subsystem of the Linux kernel. This issue occurs when sending two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets with a total size of 252 bytes, which results in an out-of-bounds write when the third packet enters fl_set_geneve_opt, potentially leading to a denial of service or privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2214027, 2214029, 2216981, 2216982, 2216984, 2216987, 2216988, 2216989, 2216990, 2216992, 2216993, 2216994, 2216995, 2216996, 2216997, 2216998, 2217000, 2217002, 2217003, 2217005, 2217006, 2217007, 2217008, 2217009, 2216967, 2216968, 2216979, 2216983, 2216991, 2216999, 2217004, 2217010    
Bug Blocks: 2215767    

Description ybuenos 2023-06-18 14:41:11 UTC 
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Reference:
https://www.openwall.com/lists/oss-security/2023/06/07/1

Upstream fix:
https://github.com/torvalds/linux/commit/4d56304e5827c8cc8cc18c75343d283af7c4825c
Comment 3 Mauro Matteo Cascella 2023-06-23 13:53:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2216979]
Comment 10 Mauro Matteo Cascella 2023-06-26 10:28:10 UTC 
*** Bug 2214024 has been marked as a duplicate of this bug. ***
Comment 13 Justin M. Forbes 2023-07-03 17:37:35 UTC 
This was fixed for Fedora with the 6.3.7 stable kernel updates.
Comment 17 errata-xmlrpc 2023-08-01 08:59:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4378 https://access.redhat.com/errata/RHSA-2023:4378
Comment 18 errata-xmlrpc 2023-08-01 09:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4380 https://access.redhat.com/errata/RHSA-2023:4380
Comment 19 errata-xmlrpc 2023-08-01 09:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4377 https://access.redhat.com/errata/RHSA-2023:4377
Comment 21 errata-xmlrpc 2023-08-08 07:22:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4516 https://access.redhat.com/errata/RHSA-2023:4516
Comment 22 errata-xmlrpc 2023-08-08 07:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4515 https://access.redhat.com/errata/RHSA-2023:4515