2173436 – (CVE-2023-1077) CVE-2023-1077 kernel: Type confusion in pick_next_rt_entity()

Bug 2173436 (CVE-2023-1077) - CVE-2023-1077 kernel: Type confusion in pick_next_rt_entity()

Summary: CVE-2023-1077 kernel: Type confusion in pick_next_rt_entity()

Keywords:
Status:	NEW
Alias:	CVE-2023-1077
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2212185 2212186 2212187 2212188 2212189
Blocks:	2172923
TreeView+	depends on / blocked

Reported:	2023-02-26 17:28 UTC by Alex
Modified:	2024-04-17 15:50 UTC (History)
CC List:	40 users (show)
Fixed In Version:	kernel 6.1.16
Doc Type:	If docs needed, set a value
Doc Text:	A memory corruption flaw was found in the Linux kernel's scheduler subsystem. This could allow a local user to crash the system or potentially escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Alex 2023-02-26 17:28:50 UTC

pick_next_rt_entity() may return a type confused entry, not
detected by the BUG_ON condition, as the confused entry will not be
NULL, but list_head.
The buggy error condition would lead to a type confused entry with the
list head, which would then be used as a type confused
sched_rt_entity, causing memory corruption.

It is hard to trigger it, because found it with static analysis and were not able to trigger it manually. But pick_next_rt_entity() may return a type confused entry, the BUG_ON will never trigger since it assumes the error condition is NULL, while the buggy error condition would be a type confused entry with the list head, which would then be used as a type confused sched_rt_entity.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/commit/?id=7c4a5b89a0b5a57a64b601775b296abf77a9fe97

Comment 3 Alex 2023-06-04 14:48:39 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2212185]

Comment 5 Justin M. Forbes 2023-06-05 12:36:53 UTC

This was fixed for Fedora in the 6.1.16 stable kernel update.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
arachman
bhu
chwhite
crwood
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
fhrbata
hkrzesin
jarod
jburrell
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
lgoncalv
lleshchi
lveyde
lzampier
michal.skrivanek
mperina
nmurray
ptalbert
qzhao
rogbas
rvrbovsk
scweaver
tyberry
vkumar
walters
williams