Bug 2192671 (CVE-2023-31436) - CVE-2023-31436 kernel: out-of-bounds write in qfq_change_class function
Summary: CVE-2023-31436 kernel: out-of-bounds write in qfq_change_class function
Keywords:
Status: NEW
Alias: CVE-2023-31436
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2226780 (view as bug list)
Depends On: 2192680 2192681 2192682 2192683 2192679
Blocks: 2225771 2192393
TreeView+ depends on / blocked
 
Reported: 2023-05-02 17:20 UTC by Alex
Modified: 2023-07-26 18:55 UTC (History)
45 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the Linux kernel’s traffic control (QoS) subsystem in how a user triggers the qfq_change_class function with an incorrect MTU value of the network device used as lmax. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Alex 2023-05-02 17:20:06 UTC 
A flaw in the Linux Kernel found. A heap out-of-bounds read vulnerability in the Linux Kernel traffic control (QoS) subsystem can be exploited to achieve local privilege escalation. The qfq_change_class function does not properly limit the lmax variable which can lead to out-of-bounds read/write. If the TCA_QFQ_LMAX value is not offered through nlattr, lmax is determined by the MTU value of the network device. The MTU of the loopback device can be set up to 2^31-1 and as a result, it is possible to have an lmax value that exceeds QFQ_MIN_LMAX.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3037933448f60f9acb705997eae62013ecb81e0d
Comment 2 Alex 2023-05-02 17:25:27 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2192679]
Comment 4 Justin M. Forbes 2023-05-02 21:11:23 UTC 
This was fixed for Fedora with the 6.2.13 stable kernel updates.
Comment 7 Mauro Matteo Cascella 2023-07-26 18:55:57 UTC 
*** Bug 2226780 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.