Bug 2119855 (CVE-2022-36879) - CVE-2022-36879 kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice
Summary: CVE-2022-36879 kernel: xfrm_expand_policies() in net/xfrm/xfrm_policy.c can c...
Keywords:
Status: NEW
Alias: CVE-2022-36879
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2119856 2122185 2122186 2122187 2122188 2136174 2136193 2183128 2183129 2183130 2183131
Blocks: 2111787
TreeView+ depends on / blocked
 
Reported: 2022-08-19 16:46 UTC by Guilherme de Almeida Suckevicz
Modified: 2024-01-24 15:25 UTC (History)
57 users (show)

Fixed In Version: kernel 5.19-rc8
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel’s IP framework for transforming packets (XFRM subsystem). An error while resolving policies in xfrm_bundle_lookup causes the refcount to drop twice, leading to a possible crash and a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:5627 0 None None None 2023-10-10 16:26:13 UTC
Red Hat Product Errata RHSA-2024:0431 0 None None None 2024-01-24 15:24:24 UTC
Red Hat Product Errata RHSA-2024:0432 0 None None None 2024-01-24 15:25:13 UTC

Description Guilherme de Almeida Suckevicz 2022-08-19 16:46:32 UTC
An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice.

Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=f85daf0e725358be78dfd208dea5fd665d8cb901

Comment 1 Guilherme de Almeida Suckevicz 2022-08-19 16:46:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2119856]

Comment 2 Justin M. Forbes 2022-08-22 21:12:15 UTC
This was fixed for Fedora with the 5.18.15 stable kernel updates.

Comment 33 Mauro Matteo Cascella 2023-09-15 13:05:10 UTC
This issue was fixed upstream in kernel version 5.19. The kernel packages as shipped with Red Hat Enterprise Linux 8 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2023:2951

kernel-rt in Red Hat Enterprise Linux 8
https://access.redhat.com/errata/RHSA-2023:2736

Comment 40 Mauro Matteo Cascella 2023-09-18 20:13:42 UTC
This issue was fixed upstream in kernel version 5.19. The kernel packages as shipped in Red Hat Enterprise Linux 9 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2023:2458

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2023:2148

Comment 44 errata-xmlrpc 2023-10-10 16:26:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5627 https://access.redhat.com/errata/RHSA-2023:5627

Comment 46 errata-xmlrpc 2024-01-24 15:24:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0431 https://access.redhat.com/errata/RHSA-2024:0431

Comment 47 errata-xmlrpc 2024-01-24 15:25:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0432 https://access.redhat.com/errata/RHSA-2024:0432


Note You need to log in before you can comment on or make changes to this bug.