Bug 2218672 (CVE-2023-3090)

Summary: CVE-2023-3090 kernel: ipvlan: out-of-bounds write caused by unclear skb->cb
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, swood, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.4-rc2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the IPVLAN network driver in the Linux kernel. This issue is caused by missing skb->cb initialization in `__ip_options_echo` and can lead to an out-of-bounds write stack overflow. This may allow a local user to cause a denial of service or potentially achieve local privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2218676, 2218677, 2219657, 2219658, 2219659, 2219660, 2219661, 2219664, 2219665, 2219666, 2219667, 2219668, 2219669, 2219671, 2219674, 2219675, 2219676, 2219677, 2219678, 2218673, 2219656, 2219662, 2219670, 2219673, 2219679    
Bug Blocks: 2218674    

Description Guilherme de Almeida Suckevicz 2023-06-29 19:34:24 UTC 
A heap out-of-bounds write vulnerability in the Linux Kernel ipvlan network driver can be exploited to achieve local privilege escalation. The out-of-bounds write is caused by missing skb->cb  initialization in the ipvlan network driver. The vulnerability is reachable if CONFIG_IPVLAN is enabled. We recommend upgrading past commit 90cbed5247439a966b645b34eb0a2e037836ea8e.

References:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=90cbed5247439a966b645b34eb0a2e037836ea8e
https://kernel.dance/90cbed5247439a966b645b34eb0a2e037836ea8e
Comment 1 Guilherme de Almeida Suckevicz 2023-06-29 19:34:50 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2218673]
Comment 4 Justin M. Forbes 2023-07-03 17:57:55 UTC 
This was fixed for Fedora with the 6.3.4 stable kernel updates.
Comment 12 errata-xmlrpc 2023-08-01 08:59:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4378 https://access.redhat.com/errata/RHSA-2023:4378
Comment 13 errata-xmlrpc 2023-08-01 09:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4380 https://access.redhat.com/errata/RHSA-2023:4380
Comment 14 errata-xmlrpc 2023-08-01 09:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4377 https://access.redhat.com/errata/RHSA-2023:4377
Comment 15 errata-xmlrpc 2023-08-08 07:22:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4516 https://access.redhat.com/errata/RHSA-2023:4516
Comment 16 errata-xmlrpc 2023-08-08 07:22:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4515 https://access.redhat.com/errata/RHSA-2023:4515