Bug 2225511 (CVE-2023-4128)

Summary: CVE-2023-4128 Kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, dcaratti, ddepaula, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jferlan, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, kernel-mgr, kpatch-maint-bot, ldoskova, lgoncalv, lleshchi, lzampier, mcascell, nmurray, ptalbert, qzhao, rhandlin, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, swood, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.5-rc5 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel. This flaw allows a local attacker to perform a local privilege escalation due to incorrect handling of the existing filter, leading to a kernel information leak issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2225512, 2225513, 2228700, 2228701, 2228702, 2228703, 2228704, 2228705, 2228706, 2228708, 2228709, 2228710, 2228711, 2228712, 2228713, 2228714, 2228715, 2228716, 2228717, 2228718, 2228719, 2228720, 2228722, 2228723, 2228724, 2228725, 2228726, 2228727, 2228728, 2228729, 2228730, 2228731, 2228732, 2230905    
Bug Blocks: 2225284    

Description Alex 2023-07-25 12:37:47 UTC 
A flaw in the Linux Kernel found. Use after free in the net/sched classifiers (cls_fw, cls_u32 and cls_route) can happen because of mainline/net/sched/cls_fw.c incorrect handling of the existing filter in .change method that leads to an extra unbind_tcf call for the associated class and that allows that class to be removed while it's still used. These bugs can be used for a local privilege escalation.

Upstream patch:
https://lore.kernel.org/netdev/193d6cdf-d6c9-f9be-c36a-b2a7551d5fb6@mojatatu.com/
Comment 2 Alex 2023-07-25 12:39:54 UTC 
*** Bug 2225499 has been marked as a duplicate of this bug. ***
Comment 10 Rohit Keshri 2023-08-10 08:58:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2230905]