Bug 2225191 (CVE-2023-3611) - CVE-2023-3611 kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead
Summary: CVE-2023-3611 kernel: net/sched: sch_qfq component can be exploited if in qfq...
Keywords:
Status: NEW
Alias: CVE-2023-3611
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2225564 2225196 2225197 2225551 2225552 2225553 2225554 2225555 2225556 2225557 2225558 2225559 2225560 2225561 2225562 2225563 2225565 2225566 2225567 2225568 2225573 2225574 2225575 2225576 2225577 2225578 2225579 2225580 2225581 2225585 2225586 2225587
Blocks: 2225179
TreeView+ depends on / blocked
 
Reported: 2023-07-24 14:11 UTC by Alex
Modified: 2024-04-25 14:55 UTC (History)
52 users (show)

Fixed In Version: Kernel 6.5-rc2
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds memory write flaw was found in qfq_change_agg in net/sched/sch_qfq.c in the Traffic Control (QoS) subsystem in the Linux kernel. This flaw allows a local user to crash or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:7268 0 None None None 2023-11-15 18:25:00 UTC
Red Hat Product Errata RHBA-2023:7328 0 None None None 2023-11-16 11:39:10 UTC
Red Hat Product Errata RHBA-2023:7338 0 None None None 2023-11-16 18:04:34 UTC
Red Hat Product Errata RHBA-2023:7343 0 None None None 2023-11-20 01:59:08 UTC
Red Hat Product Errata RHBA-2023:7346 0 None None None 2023-11-20 09:26:03 UTC
Red Hat Product Errata RHBA-2023:7496 0 None None None 2023-11-27 14:41:33 UTC
Red Hat Product Errata RHBA-2024:1796 0 None None None 2024-04-11 21:12:08 UTC
Red Hat Product Errata RHBA-2024:2065 0 None None None 2024-04-25 14:55:15 UTC
Red Hat Product Errata RHSA-2023:6901 0 None None None 2023-11-14 15:15:56 UTC
Red Hat Product Errata RHSA-2023:7077 0 None None None 2023-11-14 15:21:17 UTC
Red Hat Product Errata RHSA-2023:7419 0 None None None 2023-11-21 15:27:00 UTC
Red Hat Product Errata RHSA-2023:7423 0 None None None 2023-11-21 15:37:38 UTC
Red Hat Product Errata RHSA-2023:7424 0 None None None 2023-11-21 15:08:19 UTC
Red Hat Product Errata RHSA-2024:0261 0 None None None 2024-01-16 15:52:14 UTC
Red Hat Product Errata RHSA-2024:0262 0 None None None 2024-01-16 15:54:09 UTC
Red Hat Product Errata RHSA-2024:0378 0 None None None 2024-01-23 17:28:14 UTC
Red Hat Product Errata RHSA-2024:0412 0 None None None 2024-01-24 16:44:20 UTC
Red Hat Product Errata RHSA-2024:0554 0 None None None 2024-01-30 00:33:49 UTC
Red Hat Product Errata RHSA-2024:0575 0 None None None 2024-01-30 13:21:57 UTC
Red Hat Product Errata RHSA-2024:1268 0 None None None 2024-03-12 11:43:23 UTC
Red Hat Product Errata RHSA-2024:1269 0 None None None 2024-03-12 11:45:52 UTC
Red Hat Product Errata RHSA-2024:1278 0 None None None 2024-03-12 15:00:53 UTC
Red Hat Product Errata RHSA-2024:1367 0 None None None 2024-03-19 00:22:30 UTC
Red Hat Product Errata RHSA-2024:1377 0 None None None 2024-03-19 14:37:57 UTC
Red Hat Product Errata RHSA-2024:1382 0 None None None 2024-03-19 15:07:48 UTC
Red Hat Product Errata RHSA-2024:1831 0 None None None 2024-04-16 00:20:43 UTC

Description Alex 2023-07-24 14:11:46 UTC 
A flaw in the Linux Kernel found. An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e337087c3b5805fe0b8a46ba622a962880b5d64
Comment 16 errata-xmlrpc 2023-11-14 15:15:53 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 17 errata-xmlrpc 2023-11-14 15:21:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
Comment 18 errata-xmlrpc 2023-11-21 15:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7424 https://access.redhat.com/errata/RHSA-2023:7424
Comment 19 errata-xmlrpc 2023-11-21 15:26:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7419 https://access.redhat.com/errata/RHSA-2023:7419
Comment 20 errata-xmlrpc 2023-11-21 15:37:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7423 https://access.redhat.com/errata/RHSA-2023:7423
Comment 22 errata-xmlrpc 2024-01-16 15:52:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2024:0261 https://access.redhat.com/errata/RHSA-2024:0261
Comment 23 errata-xmlrpc 2024-01-16 15:54:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:0262 https://access.redhat.com/errata/RHSA-2024:0262
Comment 24 errata-xmlrpc 2024-01-23 17:28:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0378 https://access.redhat.com/errata/RHSA-2024:0378
Comment 25 errata-xmlrpc 2024-01-24 16:44:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412
Comment 26 errata-xmlrpc 2024-01-30 00:33:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0554 https://access.redhat.com/errata/RHSA-2024:0554
Comment 27 errata-xmlrpc 2024-01-30 13:21:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0575 https://access.redhat.com/errata/RHSA-2024:0575
Comment 29 errata-xmlrpc 2024-03-12 11:43:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268
Comment 30 errata-xmlrpc 2024-03-12 11:45:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269
Comment 31 errata-xmlrpc 2024-03-12 15:00:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:1278 https://access.redhat.com/errata/RHSA-2024:1278
Comment 32 errata-xmlrpc 2024-03-19 00:22:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1367 https://access.redhat.com/errata/RHSA-2024:1367
Comment 33 errata-xmlrpc 2024-03-19 14:37:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:1377 https://access.redhat.com/errata/RHSA-2024:1377
Comment 34 errata-xmlrpc 2024-03-19 15:07:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:1382 https://access.redhat.com/errata/RHSA-2024:1382
Comment 35 errata-xmlrpc 2024-04-16 00:20:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6 Extended Lifecycle Support

Via RHSA-2024:1831 https://access.redhat.com/errata/RHSA-2024:1831
Note You need to log in before you can comment on or make changes to this bug.