Bug 2225097 (CVE-2023-3776) - CVE-2023-3776 kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function
Summary: CVE-2023-3776 kernel: net/sched: cls_fw component can be exploited as result ...
Keywords:
Status: NEW
Alias: CVE-2023-3776
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2225102 2225103 2225636 2225637 2225638 2225639 2225640 2225641 2225642 2225643 2225644 2225645 2225646 2225647 2225648 2225649 2225650 2225651 2225652 2225653 2225654 2225655 2225656 2225657 2225658 2225659 2225660 2225661 2225662 2225663 2225664 2225665 2226640
Blocks: 2225092
TreeView+ depends on / blocked
 
Reported: 2023-07-24 10:19 UTC by Alex
Modified: 2024-04-16 00:20 UTC (History)
50 users (show)

Fixed In Version: Kernel 6.5-rc2
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in fw_set_parms in net/sched/cls_fw.c in network scheduler sub-component in the Linux Kernel. This issue occurs due to a missing sanity check during cleanup at the time of failure, leading to a misleading reference. This may allow a local attacker to gain local privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5162 0 None None None 2023-09-14 08:11:47 UTC
Red Hat Product Errata RHBA-2023:5301 0 None None None 2023-09-19 18:56:23 UTC
Red Hat Product Errata RHBA-2023:5328 0 None None None 2023-09-21 11:17:38 UTC
Red Hat Product Errata RHBA-2023:5329 0 None None None 2023-09-21 12:27:52 UTC
Red Hat Product Errata RHBA-2023:5338 0 None None None 2023-09-25 01:13:44 UTC
Red Hat Product Errata RHBA-2023:5355 0 None None None 2023-09-26 10:24:56 UTC
Red Hat Product Errata RHBA-2023:6037 0 None None None 2023-10-23 16:18:16 UTC
Red Hat Product Errata RHBA-2023:7490 0 None None None 2023-11-27 01:08:42 UTC
Red Hat Product Errata RHBA-2023:7496 0 None None None 2023-11-27 14:41:34 UTC
Red Hat Product Errata RHSA-2023:5069 0 None None None 2023-09-12 10:14:16 UTC
Red Hat Product Errata RHSA-2023:5091 0 None None None 2023-09-12 09:50:56 UTC
Red Hat Product Errata RHSA-2023:5093 0 None None None 2023-09-12 09:52:20 UTC
Red Hat Product Errata RHSA-2023:5221 0 None None None 2023-09-19 08:00:21 UTC
Red Hat Product Errata RHSA-2023:5244 0 None None None 2023-09-19 14:35:25 UTC
Red Hat Product Errata RHSA-2023:5255 0 None None None 2023-09-19 14:02:28 UTC
Red Hat Product Errata RHSA-2023:5628 0 None None None 2023-10-10 16:24:13 UTC
Red Hat Product Errata RHSA-2023:5775 0 None None None 2023-10-17 09:24:59 UTC
Red Hat Product Errata RHSA-2023:5794 0 None None None 2023-10-17 15:06:53 UTC
Red Hat Product Errata RHSA-2023:6799 0 None None None 2023-11-08 08:39:55 UTC
Red Hat Product Errata RHSA-2023:6813 0 None None None 2023-11-08 10:57:19 UTC
Red Hat Product Errata RHSA-2023:7294 0 None None None 2023-11-15 19:39:29 UTC
Red Hat Product Errata RHSA-2023:7382 0 None None None 2023-11-21 11:15:59 UTC
Red Hat Product Errata RHSA-2023:7389 0 None None None 2023-11-21 11:12:23 UTC
Red Hat Product Errata RHSA-2023:7398 0 None None None 2023-11-21 11:42:08 UTC
Red Hat Product Errata RHSA-2023:7410 0 None None None 2023-11-21 11:42:33 UTC
Red Hat Product Errata RHSA-2023:7411 0 None None None 2023-11-21 12:24:30 UTC
Red Hat Product Errata RHSA-2023:7417 0 None None None 2023-11-21 14:43:41 UTC
Red Hat Product Errata RHSA-2023:7419 0 None None None 2023-11-21 15:27:00 UTC
Red Hat Product Errata RHSA-2023:7423 0 None None None 2023-11-21 15:37:31 UTC
Red Hat Product Errata RHSA-2023:7424 0 None None None 2023-11-21 15:08:18 UTC
Red Hat Product Errata RHSA-2023:7431 0 None None None 2023-11-21 15:26:25 UTC
Red Hat Product Errata RHSA-2023:7434 0 None None None 2023-11-21 15:32:01 UTC
Red Hat Product Errata RHSA-2024:0262 0 None None None 2024-01-16 15:54:02 UTC
Red Hat Product Errata RHSA-2024:1831 0 None None None 2024-04-16 00:20:41 UTC

Description Alex 2023-07-24 10:19:36 UTC 
A flaw in the Linux Kernel found. A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f
Comment 11 errata-xmlrpc 2023-09-12 09:50:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5091 https://access.redhat.com/errata/RHSA-2023:5091
Comment 12 errata-xmlrpc 2023-09-12 09:52:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5093 https://access.redhat.com/errata/RHSA-2023:5093
Comment 13 errata-xmlrpc 2023-09-12 10:14:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5069 https://access.redhat.com/errata/RHSA-2023:5069
Comment 14 errata-xmlrpc 2023-09-19 08:00:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5221 https://access.redhat.com/errata/RHSA-2023:5221
Comment 15 errata-xmlrpc 2023-09-19 14:02:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5255 https://access.redhat.com/errata/RHSA-2023:5255
Comment 16 errata-xmlrpc 2023-09-19 14:35:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5244 https://access.redhat.com/errata/RHSA-2023:5244
Comment 17 errata-xmlrpc 2023-10-10 16:24:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5628 https://access.redhat.com/errata/RHSA-2023:5628
Comment 18 errata-xmlrpc 2023-10-17 09:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:5775 https://access.redhat.com/errata/RHSA-2023:5775
Comment 19 errata-xmlrpc 2023-10-17 15:06:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5794 https://access.redhat.com/errata/RHSA-2023:5794
Comment 20 errata-xmlrpc 2023-11-08 08:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:6799 https://access.redhat.com/errata/RHSA-2023:6799
Comment 21 errata-xmlrpc 2023-11-08 10:57:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:6813 https://access.redhat.com/errata/RHSA-2023:6813
Comment 22 errata-xmlrpc 2023-11-15 19:39:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2023:7294 https://access.redhat.com/errata/RHSA-2023:7294
Comment 23 errata-xmlrpc 2023-11-21 11:12:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7389 https://access.redhat.com/errata/RHSA-2023:7389
Comment 24 errata-xmlrpc 2023-11-21 11:15:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7382 https://access.redhat.com/errata/RHSA-2023:7382
Comment 25 errata-xmlrpc 2023-11-21 11:42:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7398 https://access.redhat.com/errata/RHSA-2023:7398
Comment 26 errata-xmlrpc 2023-11-21 11:42:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7410 https://access.redhat.com/errata/RHSA-2023:7410
Comment 27 errata-xmlrpc 2023-11-21 12:24:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7411 https://access.redhat.com/errata/RHSA-2023:7411
Comment 28 errata-xmlrpc 2023-11-21 14:43:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:7417 https://access.redhat.com/errata/RHSA-2023:7417
Comment 29 errata-xmlrpc 2023-11-21 15:08:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7424 https://access.redhat.com/errata/RHSA-2023:7424
Comment 30 errata-xmlrpc 2023-11-21 15:26:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7431 https://access.redhat.com/errata/RHSA-2023:7431
Comment 31 errata-xmlrpc 2023-11-21 15:26:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7419 https://access.redhat.com/errata/RHSA-2023:7419
Comment 32 errata-xmlrpc 2023-11-21 15:31:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7434 https://access.redhat.com/errata/RHSA-2023:7434
Comment 33 errata-xmlrpc 2023-11-21 15:37:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7423 https://access.redhat.com/errata/RHSA-2023:7423
Comment 35 errata-xmlrpc 2024-01-16 15:53:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:0262 https://access.redhat.com/errata/RHSA-2024:0262
Comment 36 errata-xmlrpc 2024-04-16 00:20:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2024:1831 https://access.redhat.com/errata/RHSA-2024:1831
Note You need to log in before you can comment on or make changes to this bug.