Bug 2239847 (CVE-2023-42755, ZDI-CAN-18387) - CVE-2023-42755 kernel: rsvp: out-of-bounds read in rsvp_classify()
Summary: CVE-2023-42755 kernel: rsvp: out-of-bounds read in rsvp_classify()
Keywords:
Status: NEW
Alias: CVE-2023-42755, ZDI-CAN-18387
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2023-39195 2258363 2258364 (view as bug list)
Depends On: 2227310 2227311
Blocks: 2238729 2258363
TreeView+ depends on / blocked
 
Reported: 2023-09-20 13:54 UTC by Patrick Del Bello
Modified: 2024-02-11 09:41 UTC (History)
42 users (show)

Fixed In Version: kernel 6.3-rc1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The xprt pointer may go beyond the linear part of the skb, leading to an out-of-bounds read in the `rsvp_classify` function. This issue may allow a local user to crash the system and cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Patrick Del Bello 2023-09-20 13:54:37 UTC 
A flaw was found in rsvp_change(). The root cause is an slab-out-of-bound access, but since the offset to the original pointer is an `unsign int` fully controlled by users, the behavior is usually a wild pointer access.
Comment 5 Mauro Matteo Cascella 2023-09-28 16:02:58 UTC 
The rsvp classifier has been retired upstream:
https://github.com/torvalds/linux/commit/265b4da82dbf5df04bee5a5d46b7474b1aaf326a
Comment 6 Mauro Matteo Cascella 2023-09-28 16:11:50 UTC 
*** Bug 2226790 has been marked as a duplicate of this bug. ***
Comment 11 Alex 2024-02-11 09:38:54 UTC 
*** Bug 2258363 has been marked as a duplicate of this bug. ***
Comment 12 Alex 2024-02-11 09:41:42 UTC 
*** Bug 2258364 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.