2219268 – (CVE-2023-4459) CVE-2023-4459 kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup()

Bug 2219268 (CVE-2023-4459) - CVE-2023-4459 kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup()

Summary: CVE-2023-4459 kernel: vmxnet3: NULL pointer dereference in vmxnet3_rq_cleanup()

Keywords:
Status:	NEW
Alias:	CVE-2023-4459
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2219289 2219291 2233199 2233200
Blocks:	2219643
TreeView+	depends on / blocked

Reported:	2023-07-03 07:02 UTC by Dhananjay Arunesh
Modified:	2024-05-02 16:01 UTC (History)
CC List:	49 users (show)
Fixed In Version:	Kernel 5.18
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in the networking sub-component in vmxnet3 in the Linux Kernel. This issue may allow a local attacker with normal user privilege to cause a denial of service due to a missing sanity check during cleanup.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2024:1796	None	None	None	2024-04-11 21:12:07 UTC
Red Hat Product Errata	RHBA-2024:2065	None	None	None	2024-04-25 14:55:15 UTC
Red Hat Product Errata	RHBA-2024:2680	None	None	None	2024-05-02 16:01:35 UTC
Red Hat Product Errata	RHSA-2024:0412	None	None	None	2024-01-24 16:44:05 UTC
Red Hat Product Errata	RHSA-2024:1250	None	None	None	2024-03-12 00:43:37 UTC
Red Hat Product Errata	RHSA-2024:1306	None	None	None	2024-03-13 09:08:36 UTC
Red Hat Product Errata	RHSA-2024:1367	None	None	None	2024-03-19 00:22:30 UTC
Red Hat Product Errata	RHSA-2024:1382	None	None	None	2024-03-19 15:07:47 UTC
Red Hat Product Errata	RHSA-2024:2006	None	None	None	2024-04-23 16:40:02 UTC
Red Hat Product Errata	RHSA-2024:2008	None	None	None	2024-04-23 16:28:14 UTC

Description Dhananjay Arunesh 2023-07-03 07:02:51 UTC

A NULL pointer dereference flaw was found in vmxnet3_rq_cleanup in drivers/net/vmxnet3/vmxnet3_drv.c in networking sub-component in vmxnet3 in the Linux Kernel. In this flaw a local attacker with normal user privilege may lead to a denial of service problem due to a missing sanity check while cleanup.

In vmxnet3_rq_create(), when dma_alloc_coherent() fails, vmxnet3_rq_destroy() is called. It sets rq->rx_ring[i].base to NULL. Then vmxnet3_rq_create() returns an error to its callers mxnet3_rq_create_all() -> vmxnet3_change_mtu(). Then vmxnet3_change_mtu() calls vmxnet3_force_close() -> dev_close() in error handling code. And the driver calls vmxnet3_close() -> vmxnet3_quiesce_dev() -> vmxnet3_rq_cleanup_all() -> vmxnet3_rq_cleanup(). In vmxnet3_rq_cleanup(), rq->rx_ring[ring_idx].base is accessed, but this variable is NULL, causing a NULL pointer dereference.

References:
https://github.com/torvalds/linux/commit/edf410cb74dc612fd47ef5be319c5a0bcd6e6ccd

Comment 13 errata-xmlrpc 2024-01-24 16:44:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412

Comment 15 errata-xmlrpc 2024-03-12 00:43:33 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250

Comment 16 errata-xmlrpc 2024-03-13 09:08:31 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306

Comment 17 errata-xmlrpc 2024-03-19 00:22:27 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1367 https://access.redhat.com/errata/RHSA-2024:1367

Comment 18 errata-xmlrpc 2024-03-19 15:07:44 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:1382 https://access.redhat.com/errata/RHSA-2024:1382

Comment 19 errata-xmlrpc 2024-04-23 16:28:10 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2008 https://access.redhat.com/errata/RHSA-2024:2008

Comment 20 errata-xmlrpc 2024-04-23 16:39:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:2006 https://access.redhat.com/errata/RHSA-2024:2006

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
chwhite
crwood
dbohanno
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
kyoshida
ldoskova
lgoncalv
lleshchi
lzampier
nmurray
ptalbert
qzhao
rkeshri
rogbas
rrobaina
rvrbovsk
rysulliv
scweaver
security-response-team
tglozar
tyberry
vkumar
walters
wcosta
williams
wmealing
ycote
ymankad