Bug 2225097 (CVE-2023-3776) - CVE-2023-3776 kernel: net/sched: cls_fw component can be exploited as result of failure in tcf_change_indev function
Summary: CVE-2023-3776 kernel: net/sched: cls_fw component can be exploited as result ...
Keywords:
Status: NEW
Alias: CVE-2023-3776
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2225102 2225103 2225636 2225637 2225638 2225639 2225640 2225641 2225642 2225643 2225644 2225645 2225646 2225647 2225648 2225649 2225650 2225651 2225652 2225653 2225654 2225655 2225657 2225658 2225659 2225660 2225661 2225662 2225663 2225664 2225665 2226640 2225656
Blocks: 2225092
TreeView+ depends on / blocked
 
Reported: 2023-07-24 10:19 UTC by Alex
Modified: 2023-07-31 16:36 UTC (History)
50 users (show)

Fixed In Version: Kernel 6.5-rc2
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in fw_set_parms in net/sched/cls_fw.c in network scheduler sub-component in the Linux Kernel. This issue occurs due to a missing sanity check during cleanup at the time of failure, leading to a misleading reference. This may allow a local attacker to gain local privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Alex 2023-07-24 10:19:36 UTC 
A flaw in the Linux Kernel found. A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=0323bce598eea038714f941ce2b22541c46d488f
Note You need to log in before you can comment on or make changes to this bug.