Bug 2225201 (CVE-2023-3609) - CVE-2023-3609 kernel: net/sched: cls_u32 component reference counter leak if tcf_change_indev() fails
Summary: CVE-2023-3609 kernel: net/sched: cls_u32 component reference counter leak if ...
Keywords:
Status: NEW
Alias: CVE-2023-3609
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2219411 2225202 2225483 2225484 2225485 2225486 2225487 2225488 2225489 2225490 2225491 2225492 2225493 2225494 2225495 2225496 2225497 2225498 2225500 2225501 2225502 2225503 2225505 2225506 2225507 2225508 2225509 2225510 2226868 2226869 2226870 2226872 2226873 2225203
Blocks: 2225185
TreeView+ depends on / blocked
 
Reported: 2023-07-24 14:28 UTC by Alex
Modified: 2023-08-02 17:02 UTC (History)
51 users (show)

Fixed In Version: Kernel 6.4-rc7
Doc Type: If docs needed, set a value
Doc Text:
A double-free flaw was found in u32_set_parms in net/sched/cls_u32.c in the Network Scheduler component in the Linux kernel. This flaw allows a local attacker to use a failure event to mishandle the reference counter, leading to a local privilege escalation threat.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Alex 2023-07-24 14:28:28 UTC 
A flaw in the Linux Kernel found. A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=04c55383fa5689357bcdd2c8036725a55ed632bc
Note You need to log in before you can comment on or make changes to this bug.