Bug 2224048 (CVE-2023-3812) - CVE-2023-3812 kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags
Summary: CVE-2023-3812 kernel: tun: bugs for oversize packet when napi frags enabled i...
Keywords:
Status: NEW
Alias: CVE-2023-3812
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2224270 2224271 2224272 2224273 2224275 2224276 2224277 2224278 2224279 2224280 2224281 2224282 2224284 2224285 2224286 2224287 2224288 2224290 2224291 2224292 2224293 2224294 2224295 2224296 2224054 2224283
Blocks: 2223202
TreeView+ depends on / blocked
 
Reported: 2023-07-19 16:40 UTC by Alex
Modified: 2023-08-07 21:05 UTC (History)
49 users (show)

Fixed In Version: kernel 6.1-rc4
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory access flaw was found in the Linux kernel’s TUN/TAP device driver functionality in how a user generates a malicious (too big) networking packet when napi frags is enabled. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Alex 2023-07-19 16:40:58 UTC 
A flaw in the Linux Kernel found. If napi frags enabled and patch 363a5328f4b0 ("net: tun: fix bugs for oversize packet when napi frags enabled") not applied, then when local user try to send too large IPV6 packet (with big packet length), it can lead to out of bounds memory bug.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=363a5328f4b0
Comment 2 Alex 2023-07-19 16:58:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2224054]
Comment 6 Justin M. Forbes 2023-08-07 21:05:07 UTC 
This was fixed for Fedora with the 6.0.8 stable kernel updates.
Note You need to log in before you can comment on or make changes to this bug.