Bug 2239843 (CVE-2023-42753)
| Summary: | CVE-2023-42753 kernel: netfilter: potential slab-out-of-bound access due to integer underflow | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Patrick Del Bello <pdelbell> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | acaringi, allarkin, bhu, chwhite, dbohanno, debarbos, dfreiber, dvlasenk, ezulian, fwestpha, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mcascell, nmurray, ptalbert, rogbas, rrobaina, rvrbovsk, scweaver, security-response-team, tglozar, trathi, vkumar, wcosta, williams, wmealing, ycote |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | kernel 6.6-rc1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2240602 | ||
| Bug Blocks: | 2238729 | ||
|
Description
Patrick Del Bello
2023-09-20 13:50:47 UTC
Upstream fix: https://github.com/torvalds/linux/commit/050d91c03b28ca479df13dfb02bcd2c60dd6a878 Reference: https://www.openwall.com/lists/oss-security/2023/09/22/10 *** Bug 2240527 has been marked as a duplicate of this bug. *** Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2240602] This was fixed for Fedora with the 6.5.3 stable kernel updates. This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7379 https://access.redhat.com/errata/RHSA-2023:7379 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:7389 https://access.redhat.com/errata/RHSA-2023:7389 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:7382 https://access.redhat.com/errata/RHSA-2023:7382 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7370 https://access.redhat.com/errata/RHSA-2023:7370 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:7411 https://access.redhat.com/errata/RHSA-2023:7411 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7418 https://access.redhat.com/errata/RHSA-2023:7418 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7558 https://access.redhat.com/errata/RHSA-2023:7558 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0089 https://access.redhat.com/errata/RHSA-2024:0089 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0113 https://access.redhat.com/errata/RHSA-2024:0113 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0134 https://access.redhat.com/errata/RHSA-2024:0134 RHEL7.6 is not affected, it does not support /0 netmasks:
$ ipset create test hash:net,port,net
$ ipset add test 0.0.0.0/0,42,192.168.0.1
ipset v6.38: The value of the CIDR parameter of the IP address is invalid
The commit that supports this, 886503f34d63 ("netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net"), was added to 7.7, I don't see it backported to 7.6.z branch. This still checks attribute value via:
if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
....
so /0 gets rejected.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0340 https://access.redhat.com/errata/RHSA-2024:0340 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:0346 https://access.redhat.com/errata/RHSA-2024:0346 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:0347 https://access.redhat.com/errata/RHSA-2024:0347 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2024:0376 https://access.redhat.com/errata/RHSA-2024:0376 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2024:0371 https://access.redhat.com/errata/RHSA-2024:0371 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0378 https://access.redhat.com/errata/RHSA-2024:0378 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:0402 https://access.redhat.com/errata/RHSA-2024:0402 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:0403 https://access.redhat.com/errata/RHSA-2024:0403 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0461 https://access.redhat.com/errata/RHSA-2024:0461 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:0593 https://access.redhat.com/errata/RHSA-2024:0593 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Via RHSA-2024:0999 https://access.redhat.com/errata/RHSA-2024:0999 |