2240527 – kernel: netfilter: ipset: array Indexing error in ip_set_hash_netportnet.c

Bug 2240527 - kernel: netfilter: ipset: array Indexing error in ip_set_hash_netportnet.c

Summary: kernel: netfilter: ipset: array Indexing error in ip_set_hash_netportnet.c

Keywords:
Status:	CLOSED DUPLICATE of bug 2239843
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2240528
Blocks:
TreeView+	depends on / blocked

Reported:	2023-09-25 05:56 UTC by TEJ RATHI
Modified:	2023-09-25 06:04 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2023-09-25 06:02:56 UTC
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2023-09-25 05:56:50 UTC

An array indexing vulnerability in the netfilter ipset subsystem in Linux, which can be exploited in some systems because of its nature to increment/decrement pointers out-of-bound.

The root cause of the vulnerability is a missing IP_SET_HASH_WITH_NET0 macro in `ip_set_hash_netportnet`, which leads it to use the wrong wrong `CIDR_POS(c)` macro for calulating array offsets.

This provides attackers with the primitive to arbitrarily increment/decrement a memory out-of-bound, which is likely
exploitable, attackers can manipulate a buffer pointer to obtain OOB read/write primitive; or increase the length of a buffer, to read/write out of bound.

https://seclists.org/oss-sec/2023/q3/216
https://git.kernel.org/linus/050d91c03b28ca479df13dfb02bcd2c60dd6a878

Comment 1 TEJ RATHI 2023-09-25 05:57:14 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2240528]

Comment 2 TEJ RATHI 2023-09-25 06:02:56 UTC


*** This bug has been marked as a duplicate of bug 2239843 ***

Note You need to log in before you can comment on or make changes to this bug.