Bug 2225511 (CVE-2023-4206, CVE-2023-4207, CVE-2023-4208)

Summary: CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, crwood, dbohanno, dcaratti, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, juneau, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, ldoskova, lgoncalv, lzampier, mcascell, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, scweaver, security-response-team, tglozar, vkumar, walters, wcosta, williams, wmealing, ycote, ylin, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.5-rc5 Doc Type: If docs needed, set a value
Doc Text:
There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system. Similar CVE-2023-4128 was rejected as a duplicate.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2225512, 2225513, 2228700, 2228701, 2228702, 2228703, 2228704, 2228705, 2228706, 2228708, 2228709, 2228710, 2228711, 2228712, 2228713, 2228714, 2228715, 2228716, 2228717, 2228718, 2228719, 2228720, 2228722, 2228723, 2228724, 2228725, 2228726, 2228727, 2228728, 2228729, 2228730, 2228731, 2228732, 2230905    
Bug Blocks: 2225284, 2237759    

Description Alex 2023-07-25 12:37:47 UTC 
A flaw in the Linux Kernel found. Use after free in the net/sched classifiers (cls_fw, cls_u32 and cls_route) can happen because of mainline/net/sched/cls_fw.c incorrect handling of the existing filter in .change method that leads to an extra unbind_tcf call for the associated class and that allows that class to be removed while it's still used. These bugs can be used for a local privilege escalation.

Upstream patch:
https://lore.kernel.org/netdev/193d6cdf-d6c9-f9be-c36a-b2a7551d5fb6@mojatatu.com/
Comment 2 Alex 2023-07-25 12:39:54 UTC 
*** Bug 2225499 has been marked as a duplicate of this bug. ***
Comment 10 Rohit Keshri 2023-08-10 08:58:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2230905]
Comment 12 errata-xmlrpc 2023-09-19 12:37:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5238 https://access.redhat.com/errata/RHSA-2023:5238
Comment 13 errata-xmlrpc 2023-09-19 12:39:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5235 https://access.redhat.com/errata/RHSA-2023:5235
Comment 15 errata-xmlrpc 2023-10-10 09:40:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5548 https://access.redhat.com/errata/RHSA-2023:5548
Comment 16 errata-xmlrpc 2023-10-10 10:13:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5575 https://access.redhat.com/errata/RHSA-2023:5575
Comment 17 errata-xmlrpc 2023-10-10 10:21:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:5580 https://access.redhat.com/errata/RHSA-2023:5580
Comment 18 errata-xmlrpc 2023-10-10 14:07:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5588 https://access.redhat.com/errata/RHSA-2023:5588
Comment 19 errata-xmlrpc 2023-10-10 14:12:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5589 https://access.redhat.com/errata/RHSA-2023:5589
Comment 20 errata-xmlrpc 2023-10-10 15:25:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5603 https://access.redhat.com/errata/RHSA-2023:5603
Comment 21 errata-xmlrpc 2023-10-10 15:33:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5604 https://access.redhat.com/errata/RHSA-2023:5604
Comment 22 errata-xmlrpc 2023-10-10 16:24:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5628 https://access.redhat.com/errata/RHSA-2023:5628
Comment 23 errata-xmlrpc 2023-10-10 16:26:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627
Comment 25 errata-xmlrpc 2023-10-17 09:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:5775 https://access.redhat.com/errata/RHSA-2023:5775
Comment 26 errata-xmlrpc 2023-10-17 15:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5794 https://access.redhat.com/errata/RHSA-2023:5794
Comment 27 Alex 2023-10-25 12:01:45 UTC 
*** Bug 2237894 has been marked as a duplicate of this bug. ***
Comment 28 Alex 2023-10-25 12:19:56 UTC 
*** Bug 2237901 has been marked as a duplicate of this bug. ***
Comment 30 Alex 2023-11-05 09:53:48 UTC 
This CVE-2023-4128 is the same as next 3 CVEs (so for the CVE-2023-4128 all these 3 merged together):
CVE-2023-4206
CVE-2023-4207
CVE-2023-4208
, because CVE-2023-4128 assigned by Red Hat and CVE-2023-420{6,7,8} assigned by Google (simultaneously).

The patches behind these CVEs are:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76e42ae831991c828cffa8c37736ebfb831ad5ec
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8
Comment 31 Alex 2023-11-05 10:23:43 UTC 
*** Bug 2237902 has been marked as a duplicate of this bug. ***
Comment 32 errata-xmlrpc 2023-11-07 08:20:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
Comment 36 errata-xmlrpc 2023-11-14 15:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 37 errata-xmlrpc 2023-11-14 15:21:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
Comment 38 errata-xmlrpc 2023-11-21 10:25:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7379 https://access.redhat.com/errata/RHSA-2023:7379
Comment 39 errata-xmlrpc 2023-11-21 11:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7370 https://access.redhat.com/errata/RHSA-2023:7370
Comment 40 errata-xmlrpc 2023-11-21 14:48:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7418 https://access.redhat.com/errata/RHSA-2023:7418
Comment 41 errata-xmlrpc 2023-11-21 15:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7424 https://access.redhat.com/errata/RHSA-2023:7424
Comment 42 errata-xmlrpc 2023-11-21 15:27:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7419 https://access.redhat.com/errata/RHSA-2023:7419
Comment 43 errata-xmlrpc 2023-11-21 15:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7423 https://access.redhat.com/errata/RHSA-2023:7423
Comment 44 errata-xmlrpc 2023-11-28 15:35:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539
Comment 45 errata-xmlrpc 2023-11-28 18:49:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7558 https://access.redhat.com/errata/RHSA-2023:7558
Comment 46 errata-xmlrpc 2024-01-16 15:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2024:0261 https://access.redhat.com/errata/RHSA-2024:0261
Comment 47 errata-xmlrpc 2024-01-16 15:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:0262 https://access.redhat.com/errata/RHSA-2024:0262
Comment 48 Alex 2024-01-31 15:33:10 UTC 
*** Bug 2261965 has been marked as a duplicate of this bug. ***