Bug 2237894

Summary: kernel:A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel's net/sched: cls_route component that can be exploited to achieve local privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-25 12:01:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238210    
Bug Blocks: 2237759    

Description Alex 2023-09-07 15:02:41 UTC 
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.

When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8
https://kernel.dance/b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8
Comment 2 Alex 2023-09-10 08:26:49 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2238210]
Comment 3 Justin M. Forbes 2023-09-13 11:54:05 UTC 
This was fixed for Fedora with the 6.4.10 stable kernel updates.
Comment 7 Alex 2023-10-25 12:01:45 UTC 
As found in
https://issues.redhat.com/browse/RHEL-2802
, this one is duplicate of the flaw 2225511 (that is CVE-2023-4128).

*** This bug has been marked as a duplicate of bug 2225511 ***