Bug 2235306 (CVE-2023-4244) - CVE-2023-4244 kernel: Use-after-free in nft_verdict_dump due to a race between set GC and transaction
Summary: CVE-2023-4244 kernel: Use-after-free in nft_verdict_dump due to a race betwee...
Keywords:
Status: NEW
Alias: CVE-2023-4244
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2023-52433 (view as bug list)
Depends On: 2235467
Blocks: 2235312 2265182
TreeView+ depends on / blocked
 
Reported: 2023-08-28 11:21 UTC by Rohit Keshri
Modified: 2024-05-28 14:07 UTC (History)
8 users (show)

Fixed In Version: Kernel 6.5-rc6
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the Linux kernel’s nftables sub-component due to a race problem between the set GC and transaction in the Linux Kernel. This flaw allows a local attacker to crash the system due to a missing call to `nft_set_elem_mark_busy`, causing double deactivation of the element and possibly leading to a kernel information leak problem.
Clone Of:
Environment:
Last Closed: 2023-09-07 18:02:54 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1336 0 None None None 2024-03-14 15:40:46 UTC
Red Hat Product Errata RHBA-2024:1379 0 None None None 2024-03-19 15:00:30 UTC
Red Hat Product Errata RHSA-2024:1018 0 None None None 2024-02-28 12:41:55 UTC
Red Hat Product Errata RHSA-2024:1019 0 None None None 2024-02-28 12:34:31 UTC
Red Hat Product Errata RHSA-2024:1248 0 None None None 2024-03-12 00:45:25 UTC
Red Hat Product Errata RHSA-2024:2950 0 None None None 2024-05-22 09:14:36 UTC
Red Hat Product Errata RHSA-2024:3138 0 None None None 2024-05-22 09:52:01 UTC
Red Hat Product Errata RHSA-2024:3414 0 None None None 2024-05-28 14:05:07 UTC
Red Hat Product Errata RHSA-2024:3421 0 None None None 2024-05-28 14:07:20 UTC

Description Rohit Keshri 2023-08-28 11:21:43 UTC
A use-after-free flaw was found in nftables sub-component due to a race problem between set GC and transaction in the Linux Kernel. This flaw could allow a local attacker to crash the system, due to missing call to to `nft_set_elem_mark_busy` causing double deactivation of the element. This vulnerability could even lead to a kernel information leak problem.

Refer:
https://lore.kernel.org/netdev/20230810070830.24064-1-pablo@netfilter.org/
https://lore.kernel.org/netdev/20230815223011.7019-1-fw@strlen.de/

Comment 4 Rohit Keshri 2023-08-28 18:52:24 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2235467]

Comment 5 Rohit Keshri 2023-09-07 18:02:54 UTC

*** This bug has been marked as a duplicate of bug 2237755 ***

Comment 14 errata-xmlrpc 2024-02-28 12:34:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019

Comment 15 errata-xmlrpc 2024-02-28 12:41:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018

Comment 16 Alex 2024-02-28 17:29:24 UTC
*** Bug 2265184 has been marked as a duplicate of this bug. ***

Comment 17 errata-xmlrpc 2024-03-12 00:45:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1248 https://access.redhat.com/errata/RHSA-2024:1248

Comment 19 errata-xmlrpc 2024-05-22 09:14:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:2950 https://access.redhat.com/errata/RHSA-2024:2950

Comment 20 errata-xmlrpc 2024-05-22 09:52:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:3138 https://access.redhat.com/errata/RHSA-2024:3138

Comment 21 errata-xmlrpc 2024-05-28 14:05:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3414 https://access.redhat.com/errata/RHSA-2024:3414

Comment 22 errata-xmlrpc 2024-05-28 14:07:18 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:3421 https://access.redhat.com/errata/RHSA-2024:3421


Note You need to log in before you can comment on or make changes to this bug.