Bug 2239848 (CVE-2023-42756) - CVE-2023-42756 kernel: netfilter: race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP
Summary: CVE-2023-42756 kernel: netfilter: race condition between IPSET_CMD_ADD and IP...
Keywords:
Status: NEW
Alias: CVE-2023-42756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2241163
Blocks: 2238729
TreeView+ depends on / blocked
 
Reported: 2023-09-20 13:56 UTC by Patrick Del Bello
Modified: 2024-10-12 08:28 UTC (History)
40 users (show)

Fixed In Version: kernel 6.6-rc3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Netfilter subsystem of the Linux kernel. A race condition between IPSET_CMD_ADD and IPSET_CMD_SWAP can lead to a kernel panic due to the invocation of `__ip_set_put` on a wrong `set`. This issue may allow a local user to crash the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:22:05 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:14:53 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:50:00 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:14:00 UTC

Description Patrick Del Bello 2023-09-20 13:56:37 UTC 
A flaw was found under netfilter subsystem. Race between IPSET_CMD_ADD and IPSET_CMD_SWAP. No lock is hold when it does the `cond_resched()`. As a result, `ip_set_ref_lock` (in thread 2) can swap the set with another when thread 1 is doing the `cond_resched()`. Which might lead to a local Denial of Service (DoS).
Comment 4 Mauro Matteo Cascella 2023-09-28 09:35:03 UTC 
Reference:
https://seclists.org/oss-sec/2023/q3/242

Upstream fix:
https://github.com/torvalds/linux/commit/7433b6d2afd512d04398c73aa984d1e285be125b
Comment 6 Mauro Matteo Cascella 2023-09-28 10:21:37 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2241163]
Comment 10 errata-xmlrpc 2024-04-30 10:13:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394
Note You need to log in before you can comment on or make changes to this bug.