Bug 2237901

Summary: kernel: net/sched: A use-after-free vulnerability in the Linux kernel's cls_fw component that can be exploited to achieve local privilege escalation.
Product: [Other] Security Response Reporter: juneau
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED DUPLICATE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, dbohanno, debarbos, dfreiber, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lleshchi, lzampier, nmurray, ptalbert, rogbas, rrobaina, rvrbovsk, rysulliv, scweaver, tglozar, tyberry, vkumar, walters, wcosta, williams, wmealing, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel's net/sched: cls_fw component that can be exploited to achieve local privilege escalation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-10-25 12:19:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2238209    
Bug Blocks: 2237759    

Description juneau 2023-09-07 15:40:07 UTC 
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76e42ae831991c828cffa8c37736ebfb831ad5ec
https://kernel.dance/76e42ae831991c828cffa8c37736ebfb831ad5ec
Comment 1 Alex 2023-09-10 08:26:24 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2238209]
Comment 3 Justin M. Forbes 2023-09-13 11:51:57 UTC 
This was fixed for Fedora with the 6.4.10 stable kernel updates.
Comment 9 Alex 2023-10-25 12:19:56 UTC 

*** This bug has been marked as a duplicate of bug 2225511 ***