Bug 2253908 (CVE-2024-0646)

Summary: CVE-2024-0646 kernel: ktls overwrites readonly memory pages when using function splice with a ktls socket as destination
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jpoimboe, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mmilgram, mstowell, nmurray, ptalbert, rogbas, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, security-response-team, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 6.7-rc5 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in the Linux kernel’s Transport Layer Security functionality in how a user calls a function splice with a ktls socket as the destination. This flaw allows a local user to crash or potentially escalate their privileges on the system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2259000    
Bug Blocks: 2253300    

Description Alex 2023-12-10 20:54:43 UTC 
A flaw in the Linux Kernel found. When splice() is called with a ktls socket as destination, the ktls code fails to update the internal "curr"/"copybreak" accounting that tracks which parts of the plaintext scatter-gather buffer (`struct sk_msg_sg`) are unused writable memory. This can cause subsequent writes to the socket to overwrite the contents of spliced pages, including pages from files to which the caller is not supposed to have write access.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5a595000e267
Comment 5 Alex 2024-01-17 14:59:48 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2258817]
Comment 8 Alex 2024-01-18 14:54:34 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2259000]
Comment 11 Justin M. Forbes 2024-01-23 21:41:07 UTC 
This was fixed for Fedora with the 6.6.7 stable kernel updates.
Comment 13 errata-xmlrpc 2024-02-07 16:22:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0725 https://access.redhat.com/errata/RHSA-2024:0725
Comment 14 errata-xmlrpc 2024-02-07 16:25:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0723 https://access.redhat.com/errata/RHSA-2024:0723
Comment 15 errata-xmlrpc 2024-02-07 16:30:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724
Comment 17 errata-xmlrpc 2024-02-15 17:41:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0850 https://access.redhat.com/errata/RHSA-2024:0850
Comment 18 errata-xmlrpc 2024-02-15 17:45:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0851 https://access.redhat.com/errata/RHSA-2024:0851
Comment 19 errata-xmlrpc 2024-02-20 04:53:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0876 https://access.redhat.com/errata/RHSA-2024:0876
Comment 20 errata-xmlrpc 2024-02-20 12:28:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0881 https://access.redhat.com/errata/RHSA-2024:0881
Comment 21 errata-xmlrpc 2024-02-20 12:33:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0897 https://access.redhat.com/errata/RHSA-2024:0897
Comment 23 errata-xmlrpc 2024-03-12 00:42:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1251 https://access.redhat.com/errata/RHSA-2024:1251
Comment 24 errata-xmlrpc 2024-03-12 00:44:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250
Comment 25 errata-xmlrpc 2024-03-12 00:45:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1248 https://access.redhat.com/errata/RHSA-2024:1248
Comment 26 errata-xmlrpc 2024-03-12 01:01:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1253 https://access.redhat.com/errata/RHSA-2024:1253
Comment 27 errata-xmlrpc 2024-03-12 11:44:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268
Comment 28 errata-xmlrpc 2024-03-12 11:45:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269
Comment 29 errata-xmlrpc 2024-03-12 15:00:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1278 https://access.redhat.com/errata/RHSA-2024:1278
Comment 30 errata-xmlrpc 2024-03-13 09:08:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306
Comment 31 errata-xmlrpc 2024-03-19 00:23:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1367 https://access.redhat.com/errata/RHSA-2024:1367
Comment 32 errata-xmlrpc 2024-03-19 00:23:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1368 https://access.redhat.com/errata/RHSA-2024:1368
Comment 33 Charmaine9x 2024-03-19 03:31:30 UTC Comment hidden (spam)
Comment 34 errata-xmlrpc 2024-03-19 14:37:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:1377 https://access.redhat.com/errata/RHSA-2024:1377
Comment 35 errata-xmlrpc 2024-03-19 15:07:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:1382 https://access.redhat.com/errata/RHSA-2024:1382
Comment 36 errata-xmlrpc 2024-03-19 17:27:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404