2256786 – (CVE-2023-6270, ZDI-CAN-22236) CVE-2023-6270 kernel: AoE: improper reference count leads to use-after-free vulnerability

Bug 2256786 (CVE-2023-6270, ZDI-CAN-22236) - CVE-2023-6270 kernel: AoE: improper reference count leads to use-after-free vulnerability

Summary: CVE-2023-6270 kernel: AoE: improper reference count leads to use-after-free v...

Keywords:
Status:	NEW
Alias:	CVE-2023-6270, ZDI-CAN-22236
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2256787
Blocks:	2256791
TreeView+	depends on / blocked

Reported:	2024-01-04 14:46 UTC by Mauro Matteo Cascella
Modified:	2024-02-28 06:19 UTC (History)
CC List:	46 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() function improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue. This could lead to a denial of service condition or potential code execution.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2024-01-04 14:46:47 UTC

A flaw was found in the ATA over Ethernet (AoE) driver in the Linux kernel. The aoecmd_cfg_pkts() improperly updates the refcnt on `struct net_device`, and a use-after-free can be triggered by racing between the free on the struct and the access through the `skbtxq` global queue.

ZDI security advisory (possibly yet to be published):
https://www.zerodayinitiative.com/advisories/ZDI-CAN-22236/

Comment 1 Mauro Matteo Cascella 2024-01-04 14:47:34 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2256787]

Comment 5 Salvatore Bonaccorso 2024-01-04 20:37:26 UTC

Is this handled upstream? Do you by chance have a reference to the upstream proposed fix?

To the best of my knowledge, there is no recent commit in drivers/block/aoe/ area upstream in mainline which might go in that direction.

Comment 6 Mauro Matteo Cascella 2024-01-05 08:01:04 UTC

In reply to comment #5:
> Is this handled upstream? Do you by chance have a reference to the upstream
> proposed fix?

We've got this from ZDI, the Linux kernel security team (security) should be aware of this bug too.

> To the best of my knowledge, there is no recent commit in drivers/block/aoe/
> area upstream in mainline which might go in that direction.

I couldn't find any relevant upstream discussion or commit either, hopefully ZDI will publish their advisory soon and we'll get more information there.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
carnil
chwhite
cye
cyin
dbohanno
debarbos
dfreiber
drow
dvlasenk
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lgoncalv
lzampier
mmilgram
mstowell
nmurray
ptalbert
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
tglozar
tyberry
vkumar
wcosta
williams
wmealing
ycote
ykopkova
zhijwang