Bug 2221702 (CVE-2023-4133) - CVE-2023-4133 kernel: cxgb4: use-after-free in ch_flower_stats_cb()
Summary: CVE-2023-4133 kernel: cxgb4: use-after-free in ch_flower_stats_cb()
Status: NEW
Alias: CVE-2023-4133
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nobody
QA Contact:
Depends On: 2221712 2221713 2228787 2228789 2228790
Blocks: 2221670
TreeView+ depends on / blocked
Reported: 2023-07-10 15:34 UTC by Mauro Matteo Cascella
Modified: 2024-05-02 22:49 UTC (History)
46 users (show)

Fixed In Version: kernel 6.3
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the cxgb4 driver in the Linux kernel. The bug occurs when the cxgb4 device is detaching due to a possible rearming of the flower_stats_timer from the work queue. This flaw allows a local user to crash the system, causing a denial of service condition.
Clone Of:
Last Closed:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:2634 0 None None None 2024-05-01 01:21:56 UTC
Red Hat Product Errata RHBA-2024:2650 0 None None None 2024-05-02 00:14:44 UTC
Red Hat Product Errata RHBA-2024:2686 0 None None None 2024-05-02 22:49:53 UTC
Red Hat Product Errata RHSA-2024:2394 0 None None None 2024-04-30 10:11:03 UTC

Description Mauro Matteo Cascella 2023-07-10 15:34:32 UTC
From the upstream fix below: The flower_stats_timer can schedule flower_stats_work and flower_stats_work can also arm the flower_stats_timer [..] When the cxgb4 device is detaching, the timer and workqueue could still be rearmed. As a result, a possible use-after-free bug could happen.

Upstream commit:

Comment 2 Mauro Matteo Cascella 2023-08-03 09:31:06 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2228787]

Comment 4 Justin M. Forbes 2023-08-07 22:09:28 UTC
This was fixed for Fedora with the 6.2.13 stable kernel updates.

Comment 5 errata-xmlrpc 2024-04-30 10:11:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:2394 https://access.redhat.com/errata/RHSA-2024:2394

Note You need to log in before you can comment on or make changes to this bug.