Bug 2239843 (CVE-2023-42753) - CVE-2023-42753 kernel: netfilter: potential slab-out-of-bound access due to integer underflow
Summary: CVE-2023-42753 kernel: netfilter: potential slab-out-of-bound access due to i...
Keywords:
Status: NEW
Alias: CVE-2023-42753
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: 2240527 (view as bug list)
Depends On: 2240602
Blocks: 2238729
TreeView+ depends on / blocked
 
Reported: 2023-09-20 13:50 UTC by Patrick Del Bello
Modified: 2024-04-17 19:06 UTC (History)
43 users (show)

Fixed In Version: kernel 6.6-rc1
Doc Type: If docs needed, set a value
Doc Text:
An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0383 0 None None None 2024-01-23 20:30:37 UTC
Red Hat Product Errata RHBA-2024:0610 0 None None None 2024-01-30 14:48:47 UTC
Red Hat Product Errata RHBA-2024:0611 0 None None None 2024-01-30 14:53:14 UTC
Red Hat Product Errata RHBA-2024:0612 0 None None None 2024-01-30 14:44:48 UTC
Red Hat Product Errata RHBA-2024:0620 0 None None None 2024-01-30 17:09:50 UTC
Red Hat Product Errata RHBA-2024:0636 0 None None None 2024-01-31 18:06:07 UTC
Red Hat Product Errata RHBA-2024:0637 0 None None None 2024-02-01 00:08:58 UTC
Red Hat Product Errata RHBA-2024:0673 0 None None None 2024-02-05 10:13:07 UTC
Red Hat Product Errata RHBA-2024:0679 0 None None None 2024-02-05 11:45:46 UTC
Red Hat Product Errata RHSA-2023:7370 0 None None None 2023-11-21 11:25:00 UTC
Red Hat Product Errata RHSA-2023:7379 0 None None None 2023-11-21 10:25:16 UTC
Red Hat Product Errata RHSA-2023:7382 0 None None None 2023-11-21 11:16:08 UTC
Red Hat Product Errata RHSA-2023:7389 0 None None None 2023-11-21 11:12:32 UTC
Red Hat Product Errata RHSA-2023:7411 0 None None None 2023-11-21 12:24:37 UTC
Red Hat Product Errata RHSA-2023:7418 0 None None None 2023-11-21 14:48:25 UTC
Red Hat Product Errata RHSA-2023:7539 0 None None None 2023-11-28 15:35:49 UTC
Red Hat Product Errata RHSA-2023:7558 0 None None None 2023-11-28 18:49:13 UTC
Red Hat Product Errata RHSA-2024:0089 0 None None None 2024-01-09 09:13:08 UTC
Red Hat Product Errata RHSA-2024:0113 0 None None None 2024-01-10 10:42:52 UTC
Red Hat Product Errata RHSA-2024:0134 0 None None None 2024-01-10 10:46:30 UTC
Red Hat Product Errata RHSA-2024:0340 0 None None None 2024-01-23 09:12:36 UTC
Red Hat Product Errata RHSA-2024:0346 0 None None None 2024-01-23 16:20:16 UTC
Red Hat Product Errata RHSA-2024:0347 0 None None None 2024-01-23 16:20:26 UTC
Red Hat Product Errata RHSA-2024:0371 0 None None None 2024-01-23 17:24:48 UTC
Red Hat Product Errata RHSA-2024:0376 0 None None None 2024-01-23 17:21:47 UTC
Red Hat Product Errata RHSA-2024:0378 0 None None None 2024-01-23 17:28:23 UTC
Red Hat Product Errata RHSA-2024:0402 0 None None None 2024-01-24 15:05:14 UTC
Red Hat Product Errata RHSA-2024:0403 0 None None None 2024-01-24 15:05:38 UTC
Red Hat Product Errata RHSA-2024:0412 0 None None None 2024-01-24 16:45:12 UTC
Red Hat Product Errata RHSA-2024:0461 0 None None None 2024-01-24 16:29:12 UTC
Red Hat Product Errata RHSA-2024:0562 0 None None None 2024-01-30 12:28:03 UTC
Red Hat Product Errata RHSA-2024:0563 0 None None None 2024-01-30 12:27:12 UTC
Red Hat Product Errata RHSA-2024:0593 0 None None None 2024-01-30 13:10:27 UTC
Red Hat Product Errata RHSA-2024:0999 0 None None None 2024-02-27 06:36:12 UTC

Description Patrick Del Bello 2023-09-20 13:50:47 UTC 
Potential slab-out-of-bound access due to integer underflow due to a missing IP_SET_HASH_WITH_NET0 macro in `ip_set_hash_netportnet`, which leads it to use the wrong wrong `CIDR_POS(c)` macro for calulating array offsets.
Comment 4 Mauro Matteo Cascella 2023-09-24 14:20:40 UTC 
Upstream fix:
https://github.com/torvalds/linux/commit/050d91c03b28ca479df13dfb02bcd2c60dd6a878

Reference:
https://www.openwall.com/lists/oss-security/2023/09/22/10
Comment 5 TEJ RATHI 2023-09-25 06:02:56 UTC 
*** Bug 2240527 has been marked as a duplicate of this bug. ***
Comment 6 Mauro Matteo Cascella 2023-09-25 12:43:42 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2240602]
Comment 11 Justin M. Forbes 2023-09-25 16:32:59 UTC 
This was fixed for Fedora with the 6.5.3 stable kernel updates.
Comment 15 errata-xmlrpc 2023-11-21 10:25:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7379 https://access.redhat.com/errata/RHSA-2023:7379
Comment 16 errata-xmlrpc 2023-11-21 11:12:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7389 https://access.redhat.com/errata/RHSA-2023:7389
Comment 17 errata-xmlrpc 2023-11-21 11:16:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7382 https://access.redhat.com/errata/RHSA-2023:7382
Comment 18 errata-xmlrpc 2023-11-21 11:24:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7370 https://access.redhat.com/errata/RHSA-2023:7370
Comment 19 errata-xmlrpc 2023-11-21 12:24:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7411 https://access.redhat.com/errata/RHSA-2023:7411
Comment 20 errata-xmlrpc 2023-11-21 14:48:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7418 https://access.redhat.com/errata/RHSA-2023:7418
Comment 21 errata-xmlrpc 2023-11-28 15:35:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7539 https://access.redhat.com/errata/RHSA-2023:7539
Comment 22 errata-xmlrpc 2023-11-28 18:49:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7558 https://access.redhat.com/errata/RHSA-2023:7558
Comment 23 errata-xmlrpc 2024-01-09 09:13:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0089 https://access.redhat.com/errata/RHSA-2024:0089
Comment 24 errata-xmlrpc 2024-01-10 10:42:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0113 https://access.redhat.com/errata/RHSA-2024:0113
Comment 25 errata-xmlrpc 2024-01-10 10:46:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0134 https://access.redhat.com/errata/RHSA-2024:0134
Comment 27 Florian Westphal 2024-01-22 12:11:50 UTC 
RHEL7.6 is not affected, it does not support /0 netmasks:

$ ipset create test  hash:net,port,net 
$ ipset add test 0.0.0.0/0,42,192.168.0.1
ipset v6.38: The value of the CIDR parameter of the IP address is invalid

The commit that supports this, 886503f34d63 ("netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net"), was added to 7.7, I don't see it backported to 7.6.z branch. This still checks attribute value via:

if (!e.cidr[0] || e.cidr[0] > HOST_MASK)
  ....

so /0 gets rejected.
Comment 28 errata-xmlrpc 2024-01-23 09:12:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0340 https://access.redhat.com/errata/RHSA-2024:0340
Comment 29 errata-xmlrpc 2024-01-23 16:20:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0346 https://access.redhat.com/errata/RHSA-2024:0346
Comment 30 errata-xmlrpc 2024-01-23 16:20:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0347 https://access.redhat.com/errata/RHSA-2024:0347
Comment 31 errata-xmlrpc 2024-01-23 17:21:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions

Via RHSA-2024:0376 https://access.redhat.com/errata/RHSA-2024:0376
Comment 32 errata-xmlrpc 2024-01-23 17:24:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:0371 https://access.redhat.com/errata/RHSA-2024:0371
Comment 33 errata-xmlrpc 2024-01-23 17:28:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0378 https://access.redhat.com/errata/RHSA-2024:0378
Comment 34 errata-xmlrpc 2024-01-24 15:05:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0402 https://access.redhat.com/errata/RHSA-2024:0402
Comment 35 errata-xmlrpc 2024-01-24 15:05:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0403 https://access.redhat.com/errata/RHSA-2024:0403
Comment 36 errata-xmlrpc 2024-01-24 16:29:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0461 https://access.redhat.com/errata/RHSA-2024:0461
Comment 37 errata-xmlrpc 2024-01-24 16:45:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0412 https://access.redhat.com/errata/RHSA-2024:0412
Comment 38 errata-xmlrpc 2024-01-30 12:27:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0563 https://access.redhat.com/errata/RHSA-2024:0563
Comment 39 errata-xmlrpc 2024-01-30 12:27:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0562 https://access.redhat.com/errata/RHSA-2024:0562
Comment 40 errata-xmlrpc 2024-01-30 13:10:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions

Via RHSA-2024:0593 https://access.redhat.com/errata/RHSA-2024:0593
Comment 42 errata-xmlrpc 2024-02-27 06:36:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support

Via RHSA-2024:0999 https://access.redhat.com/errata/RHSA-2024:0999
Note You need to log in before you can comment on or make changes to this bug.