Bug 2218605

Summary: kernel: use-after-free vulnerability under netfilter because of incorrect error path handling with NFT_MSG_NEWRULE
Product: [Other] Security Response Reporter: Patrick Del Bello <pdelbell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c in the Netfilter subsystem. This flaw allows a local user to cause an out-of-bounds read issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-07-06 09:08:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2213271, 2214035, 2214963, 2214964, 2218636, 2218637, 2219131, 2219132, 2219133    
Bug Blocks: 2218602    

Description Patrick Del Bello 2023-06-29 15:34:36 UTC 
A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.

Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause an out-of-bounds read issue.

We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

References:
https://kernel.dance/1240eb93f0616b21c675416516ff3d74798fdc97
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1240eb93f0616b21c675416516ff3d74798fdc97
Comment 4 Alex 2023-07-02 11:36:54 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2219131]
Comment 6 Justin M. Forbes 2023-07-03 18:02:13 UTC 
This was fixed for Fedora with the 6.3.9 stable kernel updates.
Comment 7 Phil Sutter 2023-07-05 13:15:29 UTC 
I think we can treat this as duplicate of CVE-2023-3117, the suggested fix is the same.
Comment 8 Alex 2023-07-06 09:08:16 UTC 
Thank you. Closing this one as duplicate of the flaw 2213260,
so the CVE-2023-3390 is duplicate of the CVE-2023-3117 (and keeping original CVE-2023-3117 only).

*** This bug has been marked as a duplicate of bug 2213260 ***