Bug 2235306 (CVE-2023-4244)

Summary: CVE-2023-4244 kernel: Use-after-free in nft_verdict_dump due to a race between set GC and transaction
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, hkrzesin, jburrell, mmilgram, pdelbell, rogbas, security-response-team, vkumar
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.5-rc6 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s nftables sub-component due to a race problem between the set GC and transaction in the Linux Kernel. This flaw allows a local attacker to crash the system due to a missing call to `nft_set_elem_mark_busy`, causing double deactivation of the element and possibly leading to a kernel information leak problem.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-07 18:02:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235467    
Bug Blocks: 2235312, 2265182    

Description Rohit Keshri 2023-08-28 11:21:43 UTC 
A use-after-free flaw was found in nftables sub-component due to a race problem between set GC and transaction in the Linux Kernel. This flaw could allow a local attacker to crash the system, due to missing call to to `nft_set_elem_mark_busy` causing double deactivation of the element. This vulnerability could even lead to a kernel information leak problem.

Refer:
https://lore.kernel.org/netdev/20230810070830.24064-1-pablo@netfilter.org/
https://lore.kernel.org/netdev/20230815223011.7019-1-fw@strlen.de/
Comment 4 Rohit Keshri 2023-08-28 18:52:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2235467]
Comment 5 Rohit Keshri 2023-09-07 18:02:54 UTC 

*** This bug has been marked as a duplicate of bug 2237755 ***
Comment 14 errata-xmlrpc 2024-02-28 12:34:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019
Comment 15 errata-xmlrpc 2024-02-28 12:41:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018
Comment 16 Alex 2024-02-28 17:29:24 UTC 
*** Bug 2265184 has been marked as a duplicate of this bug. ***
Comment 17 errata-xmlrpc 2024-03-12 00:45:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1248 https://access.redhat.com/errata/RHSA-2024:1248
Comment 19 errata-xmlrpc 2024-05-22 09:14:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950
Comment 20 errata-xmlrpc 2024-05-22 09:52:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138
Comment 21 errata-xmlrpc 2024-05-28 14:05:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3414 https://access.redhat.com/errata/RHSA-2024:3414
Comment 22 errata-xmlrpc 2024-05-28 14:07:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421