Bug 2224048 (CVE-2023-3812)

Summary: CVE-2023-3812 kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, kyoshida, ldoskova, lgoncalv, lzampier, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.1-rc4 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2224054, 2224270, 2224271, 2224272, 2224273, 2224275, 2224276, 2224277, 2224278, 2224279, 2224280, 2224281, 2224282, 2224283, 2224284, 2224285, 2224286, 2224287, 2224288, 2224290, 2224291, 2224292, 2224293, 2224294, 2224295, 2224296    
Bug Blocks: 2223202    

Description Alex 2023-07-19 16:40:58 UTC 
A flaw in the Linux Kernel found. If napi frags enabled and patch 363a5328f4b0 ("net: tun: fix bugs for oversize packet when napi frags enabled") not applied, then when local user try to send too large IPV6 packet (with big packet length), it can lead to out of bounds memory bug.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=363a5328f4b0
Comment 2 Alex 2023-07-19 16:58:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2224054]
Comment 6 Justin M. Forbes 2023-08-07 21:05:07 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Comment 15 errata-xmlrpc 2023-11-08 08:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:6799 https://access.redhat.com/errata/RHSA-2023:6799
Comment 16 errata-xmlrpc 2023-11-08 10:57:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:6813 https://access.redhat.com/errata/RHSA-2023:6813
Comment 21 errata-xmlrpc 2023-11-21 10:25:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7379 https://access.redhat.com/errata/RHSA-2023:7379
Comment 22 errata-xmlrpc 2023-11-21 11:12:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7389 https://access.redhat.com/errata/RHSA-2023:7389
Comment 23 errata-xmlrpc 2023-11-21 11:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7382 https://access.redhat.com/errata/RHSA-2023:7382
Comment 24 errata-xmlrpc 2023-11-21 11:24:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7370 https://access.redhat.com/errata/RHSA-2023:7370
Comment 25 errata-xmlrpc 2023-11-21 12:24:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7411 https://access.redhat.com/errata/RHSA-2023:7411
Comment 26 errata-xmlrpc 2023-11-21 14:48:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7418 https://access.redhat.com/errata/RHSA-2023:7418
Comment 27 errata-xmlrpc 2023-11-28 15:11:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7548 https://access.redhat.com/errata/RHSA-2023:7548
Comment 28 errata-xmlrpc 2023-11-28 15:23:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7549 https://access.redhat.com/errata/RHSA-2023:7549
Comment 29 errata-xmlrpc 2023-11-28 17:53:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7554 https://access.redhat.com/errata/RHSA-2023:7554
Comment 31 errata-xmlrpc 2024-01-23 09:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0340 https://access.redhat.com/errata/RHSA-2024:0340
Comment 32 errata-xmlrpc 2024-01-23 17:28:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0378 https://access.redhat.com/errata/RHSA-2024:0378
Comment 33 errata-xmlrpc 2024-01-24 16:28:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0461 https://access.redhat.com/errata/RHSA-2024:0461
Comment 34 errata-xmlrpc 2024-01-24 16:44:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412
Comment 35 errata-xmlrpc 2024-01-30 00:33:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0554 https://access.redhat.com/errata/RHSA-2024:0554
Comment 36 errata-xmlrpc 2024-01-30 12:26:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563
Comment 37 errata-xmlrpc 2024-01-30 12:27:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562
Comment 38 errata-xmlrpc 2024-01-30 13:10:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0593 https://access.redhat.com/errata/RHSA-2024:0593
Comment 39 errata-xmlrpc 2024-01-30 13:21:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0575 https://access.redhat.com/errata/RHSA-2024:0575
Comment 43 errata-xmlrpc 2024-04-23 00:27:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1961 https://access.redhat.com/errata/RHSA-2024:1961
Comment 44 errata-xmlrpc 2024-04-23 16:28:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008
Comment 45 errata-xmlrpc 2024-04-23 16:39:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006