Bug 2225511 (CVE-2023-4206, CVE-2023-4207, CVE-2023-4208) - CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 kernel: net/sched: Use-after-free vulnerabilities in the net/sched classifiers: cls_fw, cls_u32 and cls_route
Summary: CVE-2023-4206 CVE-2023-4207 CVE-2023-4208 kernel: net/sched: Use-after-free v...
Keywords:
Status: NEW
Alias: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2225499 2237894 2237901 2237902 CVE-2023-4128 (view as bug list)
Depends On: 2228714 2225512 2225513 2228700 2228701 2228702 2228703 2228704 2228705 2228706 2228708 2228709 2228710 2228711 2228712 2228713 2228715 2228716 2228717 2228718 2228719 2228720 2228722 2228723 2228724 2228725 2228726 2228727 2228728 2228729 2228730 2228731 2228732 2230905
Blocks: 2225284 2237759
TreeView+ depends on / blocked
 
Reported: 2023-07-25 12:37 UTC by Alex
Modified: 2024-01-31 15:33 UTC (History)
54 users (show)

Fixed In Version: Kernel 6.5-rc5
Doc Type: If docs needed, set a value
Doc Text:
There are 3 CVEs for the use-after-free flaw found in net/sched/cls_fw.c in classifiers (cls_fw, cls_u32, and cls_route) in the Linux Kernel: CVE-2023-4206, CVE-2023-4207, CVE-2023-4208. A local user could use any of these flaws to crash the system or potentially escalate their privileges on the system. Similar CVE-2023-4128 was rejected as a duplicate.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:6037 0 None None None 2023-10-23 16:18:17 UTC
Red Hat Product Errata RHBA-2023:6835 0 None None None 2023-11-09 07:11:08 UTC
Red Hat Product Errata RHBA-2023:7268 0 None None None 2023-11-15 18:25:04 UTC
Red Hat Product Errata RHBA-2023:7328 0 None None None 2023-11-16 11:39:12 UTC
Red Hat Product Errata RHBA-2023:7338 0 None None None 2023-11-16 18:04:38 UTC
Red Hat Product Errata RHBA-2023:7343 0 None None None 2023-11-20 01:59:07 UTC
Red Hat Product Errata RHBA-2023:7346 0 None None None 2023-11-20 09:26:06 UTC
Red Hat Product Errata RHBA-2023:7496 0 None None None 2023-11-27 14:41:33 UTC
Red Hat Product Errata RHSA-2023:5235 0 None None None 2023-09-19 12:39:44 UTC
Red Hat Product Errata RHSA-2023:5238 0 None None None 2023-09-19 12:37:34 UTC
Red Hat Product Errata RHSA-2023:5548 0 None None None 2023-10-10 09:40:52 UTC
Red Hat Product Errata RHSA-2023:5575 0 None None None 2023-10-10 10:13:36 UTC
Red Hat Product Errata RHSA-2023:5580 0 None None None 2023-10-10 10:21:11 UTC
Red Hat Product Errata RHSA-2023:5588 0 None None None 2023-10-10 14:07:27 UTC
Red Hat Product Errata RHSA-2023:5589 0 None None None 2023-10-10 14:12:41 UTC
Red Hat Product Errata RHSA-2023:5603 0 None None None 2023-10-10 15:25:12 UTC
Red Hat Product Errata RHSA-2023:5604 0 None None None 2023-10-10 15:33:19 UTC
Red Hat Product Errata RHSA-2023:5627 0 None None None 2023-10-10 16:26:29 UTC
Red Hat Product Errata RHSA-2023:5628 0 None None None 2023-10-10 16:24:13 UTC
Red Hat Product Errata RHSA-2023:5775 0 None None None 2023-10-17 09:24:59 UTC
Red Hat Product Errata RHSA-2023:5794 0 None None None 2023-10-17 15:06:55 UTC
Red Hat Product Errata RHSA-2023:6583 0 None None None 2023-11-07 08:20:47 UTC
Red Hat Product Errata RHSA-2023:6901 0 None None None 2023-11-14 15:16:03 UTC
Red Hat Product Errata RHSA-2023:7077 0 None None None 2023-11-14 15:21:21 UTC
Red Hat Product Errata RHSA-2023:7370 0 None None None 2023-11-21 11:25:01 UTC
Red Hat Product Errata RHSA-2023:7379 0 None None None 2023-11-21 10:25:09 UTC
Red Hat Product Errata RHSA-2023:7418 0 None None None 2023-11-21 14:48:26 UTC
Red Hat Product Errata RHSA-2023:7419 0 None None None 2023-11-21 15:27:10 UTC
Red Hat Product Errata RHSA-2023:7423 0 None None None 2023-11-21 15:37:53 UTC
Red Hat Product Errata RHSA-2023:7424 0 None None None 2023-11-21 15:08:21 UTC
Red Hat Product Errata RHSA-2023:7539 0 None None None 2023-11-28 15:35:46 UTC
Red Hat Product Errata RHSA-2023:7558 0 None None None 2023-11-28 18:49:14 UTC
Red Hat Product Errata RHSA-2024:0261 0 None None None 2024-01-16 15:52:23 UTC
Red Hat Product Errata RHSA-2024:0262 0 None None None 2024-01-16 15:54:19 UTC

Description Alex 2023-07-25 12:37:47 UTC 
A flaw in the Linux Kernel found. Use after free in the net/sched classifiers (cls_fw, cls_u32 and cls_route) can happen because of mainline/net/sched/cls_fw.c incorrect handling of the existing filter in .change method that leads to an extra unbind_tcf call for the associated class and that allows that class to be removed while it's still used. These bugs can be used for a local privilege escalation.

Upstream patch:
https://lore.kernel.org/netdev/193d6cdf-d6c9-f9be-c36a-b2a7551d5fb6@mojatatu.com/
Comment 2 Alex 2023-07-25 12:39:54 UTC 
*** Bug 2225499 has been marked as a duplicate of this bug. ***
Comment 10 Rohit Keshri 2023-08-10 08:58:13 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2230905]
Comment 12 errata-xmlrpc 2023-09-19 12:37:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5238 https://access.redhat.com/errata/RHSA-2023:5238
Comment 13 errata-xmlrpc 2023-09-19 12:39:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5235 https://access.redhat.com/errata/RHSA-2023:5235
Comment 15 errata-xmlrpc 2023-10-10 09:40:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5548 https://access.redhat.com/errata/RHSA-2023:5548
Comment 16 errata-xmlrpc 2023-10-10 10:13:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5575 https://access.redhat.com/errata/RHSA-2023:5575
Comment 17 errata-xmlrpc 2023-10-10 10:21:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2023:5580 https://access.redhat.com/errata/RHSA-2023:5580
Comment 18 errata-xmlrpc 2023-10-10 14:07:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5588 https://access.redhat.com/errata/RHSA-2023:5588
Comment 19 errata-xmlrpc 2023-10-10 14:12:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5589 https://access.redhat.com/errata/RHSA-2023:5589
Comment 20 errata-xmlrpc 2023-10-10 15:25:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5603 https://access.redhat.com/errata/RHSA-2023:5603
Comment 21 errata-xmlrpc 2023-10-10 15:33:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5604 https://access.redhat.com/errata/RHSA-2023:5604
Comment 22 errata-xmlrpc 2023-10-10 16:24:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5628 https://access.redhat.com/errata/RHSA-2023:5628
Comment 23 errata-xmlrpc 2023-10-10 16:26:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627
Comment 25 errata-xmlrpc 2023-10-17 09:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2023:5775 https://access.redhat.com/errata/RHSA-2023:5775
Comment 26 errata-xmlrpc 2023-10-17 15:06:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5794 https://access.redhat.com/errata/RHSA-2023:5794
Comment 27 Alex 2023-10-25 12:01:45 UTC 
*** Bug 2237894 has been marked as a duplicate of this bug. ***
Comment 28 Alex 2023-10-25 12:19:56 UTC 
*** Bug 2237901 has been marked as a duplicate of this bug. ***
Comment 30 Alex 2023-11-05 09:53:48 UTC 
This CVE-2023-4128 is the same as next 3 CVEs (so for the CVE-2023-4128 all these 3 merged together):
CVE-2023-4206
CVE-2023-4207
CVE-2023-4208
, because CVE-2023-4128 assigned by Red Hat and CVE-2023-420{6,7,8} assigned by Google (simultaneously).

The patches behind these CVEs are:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76e42ae831991c828cffa8c37736ebfb831ad5ec
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8
Comment 31 Alex 2023-11-05 10:23:43 UTC 
*** Bug 2237902 has been marked as a duplicate of this bug. ***
Comment 32 errata-xmlrpc 2023-11-07 08:20:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6583 https://access.redhat.com/errata/RHSA-2023:6583
Comment 36 errata-xmlrpc 2023-11-14 15:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6901 https://access.redhat.com/errata/RHSA-2023:6901
Comment 37 errata-xmlrpc 2023-11-14 15:21:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7077 https://access.redhat.com/errata/RHSA-2023:7077
Comment 38 errata-xmlrpc 2023-11-21 10:25:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7379 https://access.redhat.com/errata/RHSA-2023:7379
Comment 39 errata-xmlrpc 2023-11-21 11:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7370 https://access.redhat.com/errata/RHSA-2023:7370
Comment 40 errata-xmlrpc 2023-11-21 14:48:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7418 https://access.redhat.com/errata/RHSA-2023:7418
Comment 41 errata-xmlrpc 2023-11-21 15:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7424 https://access.redhat.com/errata/RHSA-2023:7424
Comment 42 errata-xmlrpc 2023-11-21 15:27:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7419 https://access.redhat.com/errata/RHSA-2023:7419
Comment 43 errata-xmlrpc 2023-11-21 15:37:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2023:7423 https://access.redhat.com/errata/RHSA-2023:7423
Comment 44 errata-xmlrpc 2023-11-28 15:35:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539
Comment 45 errata-xmlrpc 2023-11-28 18:49:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7558 https://access.redhat.com/errata/RHSA-2023:7558
Comment 46 errata-xmlrpc 2024-01-16 15:52:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support

Via RHSA-2024:0261 https://access.redhat.com/errata/RHSA-2024:0261
Comment 47 errata-xmlrpc 2024-01-16 15:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:0262 https://access.redhat.com/errata/RHSA-2024:0262
Comment 48 Alex 2024-01-31 15:33:10 UTC 
*** Bug 2261965 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.