Bug 2215768 (CVE-2023-35788) - CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()
Summary: CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()
Keywords:
Status: NEW
Alias: CVE-2023-35788
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2214024 (view as bug list)
Depends On: 2214027 2214029 2216967 2216968 2216979 2216981 2216982 2216983 2216984 2216987 2216988 2216989 2216990 2216991 2216992 2216993 2216994 2216995 2216996 2216997 2216998 2216999 2217000 2217002 2217003 2217004 2217005 2217006 2217007 2217008 2217009 2217010
Blocks: 2215767
TreeView+ depends on / blocked
 
Reported: 2023-06-18 14:41 UTC by ybuenos
Modified: 2023-10-31 05:47 UTC (History)
53 users (show)

Fixed In Version: kernel 6.4-rc5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the TC flower classifier (cls_flower) in the Networking subsystem of the Linux kernel. This issue occurs when sending two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets with a total size of 252 bytes, which results in an out-of-bounds write when the third packet enters fl_set_geneve_opt, potentially leading to a denial of service or privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:4867 0 None None None 2023-08-29 22:23:55 UTC
Red Hat Product Errata RHBA-2023:4926 0 None None None 2023-08-31 15:18:08 UTC
Red Hat Product Errata RHBA-2023:5149 0 None None None 2023-09-14 05:20:40 UTC
Red Hat Product Errata RHBA-2023:5301 0 None None None 2023-09-19 18:56:18 UTC
Red Hat Product Errata RHBA-2023:5328 0 None None None 2023-09-21 11:17:34 UTC
Red Hat Product Errata RHBA-2023:5329 0 None None None 2023-09-21 12:27:48 UTC
Red Hat Product Errata RHBA-2023:5338 0 None None None 2023-09-25 01:13:40 UTC
Red Hat Product Errata RHBA-2023:5355 0 None None None 2023-09-26 10:24:51 UTC
Red Hat Product Errata RHSA-2023:4377 0 None None None 2023-08-01 09:17:33 UTC
Red Hat Product Errata RHSA-2023:4378 0 None None None 2023-08-01 08:59:28 UTC
Red Hat Product Errata RHSA-2023:4380 0 None None None 2023-08-01 09:12:43 UTC
Red Hat Product Errata RHSA-2023:4515 0 None None None 2023-08-08 07:22:33 UTC
Red Hat Product Errata RHSA-2023:4516 0 None None None 2023-08-08 07:22:25 UTC
Red Hat Product Errata RHSA-2023:4697 0 None None None 2023-08-22 14:04:35 UTC
Red Hat Product Errata RHSA-2023:4698 0 None None None 2023-08-22 14:04:51 UTC
Red Hat Product Errata RHSA-2023:4789 0 None None None 2023-08-29 08:44:12 UTC
Red Hat Product Errata RHSA-2023:4815 0 None None None 2023-08-29 09:22:59 UTC
Red Hat Product Errata RHSA-2023:4817 0 None None None 2023-08-29 09:21:44 UTC
Red Hat Product Errata RHSA-2023:4819 0 None None None 2023-08-29 09:29:38 UTC
Red Hat Product Errata RHSA-2023:4821 0 None None None 2023-08-29 09:22:23 UTC
Red Hat Product Errata RHSA-2023:4829 0 None None None 2023-08-29 09:23:55 UTC
Red Hat Product Errata RHSA-2023:4834 0 None None None 2023-08-29 09:30:05 UTC
Red Hat Product Errata RHSA-2023:4888 0 None None None 2023-08-30 22:01:05 UTC
Red Hat Product Errata RHSA-2023:4961 0 None None None 2023-09-05 08:58:47 UTC
Red Hat Product Errata RHSA-2023:4962 0 None None None 2023-09-05 09:06:36 UTC
Red Hat Product Errata RHSA-2023:4967 0 None None None 2023-09-05 09:06:51 UTC
Red Hat Product Errata RHSA-2023:5221 0 None None None 2023-09-19 08:00:19 UTC
Red Hat Product Errata RHSA-2023:5244 0 None None None 2023-09-19 14:35:17 UTC
Red Hat Product Errata RHSA-2023:5255 0 None None None 2023-09-19 14:02:22 UTC
Red Hat Product Errata RHSA-2023:5575 0 None None None 2023-10-10 10:13:36 UTC
Red Hat Product Errata RHSA-2023:5603 0 None None None 2023-10-10 15:25:05 UTC
Red Hat Product Errata RHSA-2023:5604 0 None None None 2023-10-10 15:33:12 UTC

Description ybuenos 2023-06-18 14:41:11 UTC 
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Reference:
https://www.openwall.com/lists/oss-security/2023/06/07/1

Upstream fix:
https://github.com/torvalds/linux/commit/4d56304e5827c8cc8cc18c75343d283af7c4825c
Comment 3 Mauro Matteo Cascella 2023-06-23 13:53:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2216979]
Comment 10 Mauro Matteo Cascella 2023-06-26 10:28:10 UTC 
*** Bug 2214024 has been marked as a duplicate of this bug. ***
Comment 13 Justin M. Forbes 2023-07-03 17:37:35 UTC 
This was fixed for Fedora with the 6.3.7 stable kernel updates.
Comment 17 errata-xmlrpc 2023-08-01 08:59:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4378 https://access.redhat.com/errata/RHSA-2023:4378
Comment 18 errata-xmlrpc 2023-08-01 09:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4380 https://access.redhat.com/errata/RHSA-2023:4380
Comment 19 errata-xmlrpc 2023-08-01 09:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4377 https://access.redhat.com/errata/RHSA-2023:4377
Comment 21 errata-xmlrpc 2023-08-08 07:22:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4516 https://access.redhat.com/errata/RHSA-2023:4516
Comment 22 errata-xmlrpc 2023-08-08 07:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4515 https://access.redhat.com/errata/RHSA-2023:4515
Comment 23 errata-xmlrpc 2023-08-22 14:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2023:4697 https://access.redhat.com/errata/RHSA-2023:4697
Comment 24 errata-xmlrpc 2023-08-22 14:04:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2023:4698 https://access.redhat.com/errata/RHSA-2023:4698
Comment 25 errata-xmlrpc 2023-08-29 08:44:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4789 https://access.redhat.com/errata/RHSA-2023:4789
Comment 26 errata-xmlrpc 2023-08-29 09:21:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4817 https://access.redhat.com/errata/RHSA-2023:4817
Comment 27 errata-xmlrpc 2023-08-29 09:22:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4821 https://access.redhat.com/errata/RHSA-2023:4821
Comment 28 errata-xmlrpc 2023-08-29 09:22:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:4815 https://access.redhat.com/errata/RHSA-2023:4815
Comment 29 errata-xmlrpc 2023-08-29 09:23:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:4829 https://access.redhat.com/errata/RHSA-2023:4829
Comment 30 errata-xmlrpc 2023-08-29 09:29:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4819 https://access.redhat.com/errata/RHSA-2023:4819
Comment 31 errata-xmlrpc 2023-08-29 09:30:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:4834 https://access.redhat.com/errata/RHSA-2023:4834
Comment 32 errata-xmlrpc 2023-08-30 22:01:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:4888 https://access.redhat.com/errata/RHSA-2023:4888
Comment 33 errata-xmlrpc 2023-09-05 08:58:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4961 https://access.redhat.com/errata/RHSA-2023:4961
Comment 34 errata-xmlrpc 2023-09-05 09:06:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:4962 https://access.redhat.com/errata/RHSA-2023:4962
Comment 35 errata-xmlrpc 2023-09-05 09:06:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:4967 https://access.redhat.com/errata/RHSA-2023:4967
Comment 37 errata-xmlrpc 2023-09-19 08:00:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5221 https://access.redhat.com/errata/RHSA-2023:5221
Comment 38 errata-xmlrpc 2023-09-19 14:02:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255
Comment 39 errata-xmlrpc 2023-09-19 14:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244
Comment 40 errata-xmlrpc 2023-10-10 10:13:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5575 https://access.redhat.com/errata/RHSA-2023:5575
Comment 41 errata-xmlrpc 2023-10-10 15:25:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5603 https://access.redhat.com/errata/RHSA-2023:5603
Comment 42 errata-xmlrpc 2023-10-10 15:33:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5604 https://access.redhat.com/errata/RHSA-2023:5604
Comment 43 Ricky 2023-10-31 05:47:15 UTC Comment hidden (spam)
Note You need to log in before you can comment on or make changes to this bug.