Bug 2215768 (CVE-2023-35788) - CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()
Summary: CVE-2023-35788 kernel: cls_flower: out-of-bounds write in fl_set_geneve_opt()
Keywords:
Status: NEW
Alias: CVE-2023-35788
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2214024 (view as bug list)
Depends On: 2214027 2214029 2216981 2216982 2216984 2216987 2216988 2216989 2216990 2216992 2216993 2216994 2216995 2216996 2216997 2216998 2217000 2217002 2217003 2217005 2217006 2217007 2217008 2217009 2216967 2216968 2216979 2216983 2216991 2216999 2217004 2217010
Blocks: 2215767
TreeView+ depends on / blocked
 
Reported: 2023-06-18 14:41 UTC by ybuenos
Modified: 2023-08-08 07:22 UTC (History)
52 users (show)

Fixed In Version: kernel 6.4-rc5
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the TC flower classifier (cls_flower) in the Networking subsystem of the Linux kernel. This issue occurs when sending two TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets with a total size of 252 bytes, which results in an out-of-bounds write when the third packet enters fl_set_geneve_opt, potentially leading to a denial of service or privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4377 0 None None None 2023-08-01 09:17:33 UTC
Red Hat Product Errata RHSA-2023:4378 0 None None None 2023-08-01 08:59:28 UTC
Red Hat Product Errata RHSA-2023:4380 0 None None None 2023-08-01 09:12:43 UTC
Red Hat Product Errata RHSA-2023:4515 0 None None None 2023-08-08 07:22:33 UTC
Red Hat Product Errata RHSA-2023:4516 0 None None None 2023-08-08 07:22:25 UTC

Description ybuenos 2023-06-18 14:41:11 UTC 
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7. It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets. This may result in denial of service or privilege escalation.

Reference:
https://www.openwall.com/lists/oss-security/2023/06/07/1

Upstream fix:
https://github.com/torvalds/linux/commit/4d56304e5827c8cc8cc18c75343d283af7c4825c
Comment 3 Mauro Matteo Cascella 2023-06-23 13:53:20 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2216979]
Comment 10 Mauro Matteo Cascella 2023-06-26 10:28:10 UTC 
*** Bug 2214024 has been marked as a duplicate of this bug. ***
Comment 13 Justin M. Forbes 2023-07-03 17:37:35 UTC 
This was fixed for Fedora with the 6.3.7 stable kernel updates.
Comment 17 errata-xmlrpc 2023-08-01 08:59:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4378 https://access.redhat.com/errata/RHSA-2023:4378
Comment 18 errata-xmlrpc 2023-08-01 09:12:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4380 https://access.redhat.com/errata/RHSA-2023:4380
Comment 19 errata-xmlrpc 2023-08-01 09:17:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4377 https://access.redhat.com/errata/RHSA-2023:4377
Comment 21 errata-xmlrpc 2023-08-08 07:22:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4516 https://access.redhat.com/errata/RHSA-2023:4516
Comment 22 errata-xmlrpc 2023-08-08 07:22:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:4515 https://access.redhat.com/errata/RHSA-2023:4515
Note You need to log in before you can comment on or make changes to this bug.