Bug 2256786 (CVE-2023-6270, ZDI-CAN-22236) - CVE-2023-6270 kernel: AoE: improper reference count leads to use-after-free vulnerability
Summary: CVE-2023-6270 kernel: AoE: improper reference count leads to use-after-free v...
Keywords:
Status: NEW
Alias: CVE-2023-6270, ZDI-CAN-22236
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2256787
Blocks: 2256791
TreeView+ depends on / blocked
 
Reported: 2024-01-04 14:46 UTC by Mauro Matteo Cascella
Modified: 2024-06-11 19:41 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2024-01-04 14:46:47 UTC
A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue.

ZDI security advisory (possibly yet to be published):
https://www.zerodayinitiative.com/advisories/ZDI-CAN-22236/

Comment 1 Mauro Matteo Cascella 2024-01-04 14:47:34 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2256787]

Comment 5 Salvatore Bonaccorso 2024-01-04 20:37:26 UTC
Is this handled upstream? Do you by chance have a reference to the upstream proposed fix?

To the best of my knowledge, there is no recent commit in drivers/block/aoe/ area upstream in mainline which might go in that direction.

Comment 6 Mauro Matteo Cascella 2024-01-05 08:01:04 UTC
In reply to comment #5:
> Is this handled upstream? Do you by chance have a reference to the upstream
> proposed fix?

We've got this from ZDI, the Linux kernel security team (security) should be aware of this bug too.

> To the best of my knowledge, there is no recent commit in drivers/block/aoe/
> area upstream in mainline which might go in that direction.

I couldn't find any relevant upstream discussion or commit either, hopefully ZDI will publish their advisory soon and we'll get more information there.


Note You need to log in before you can comment on or make changes to this bug.