Bug 2237902 - kernel: net/sched: cls_u32 UAF
Summary: kernel: net/sched: cls_u32 UAF
Keywords:
Status: CLOSED DUPLICATE of bug 2225511
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2237759
TreeView+ depends on / blocked
 
Reported: 2023-09-07 15:45 UTC by juneau
Modified: 2023-11-05 11:36 UTC (History)
42 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-11-05 10:23:43 UTC
Embargoed:

Attachments (Terms of Use)

Description juneau 2023-09-07 15:45:11 UTC 
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81
https://kernel.dance/3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81
Note You need to log in before you can comment on or make changes to this bug.