[SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/2] CVE-2023-3611
Cengiz Can
cengiz.can at canonical.com
Thu Jul 27 23:22:16 UTC 2023
[Impact]
An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq
component can be exploited to achieve local privilege escalation. The
qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write
because lmax is updated according to packet sizes without bounds checks. We
recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
[Fix]
On older kernels, the prerequisite commit cannot be cherry-picked cleanly.
With those, I decided to introduce the limiting constant inside the fixing
commit, and those commits are marked as backports.
[Test case]
Each kernel was tested with the publicly shared reproducer.
Before the fix, all of our kernels (except Focal) was crashing with the
reproducer.
After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the
reproducer fills up buffer space of `ping` command. This doesn't affect the
regular function of `ping` but should be investigated in the future.
[Potential regression]
All users that create traffic control rules using `tc` command might be
affected.
Pedro Tammela (2):
net/sched: sch_qfq: refactor parsing of netlink parameters
net/sched: sch_qfq: account for stab overhead in qfq_enqueue
net/sched/sch_qfq.c | 32 +++++++++++++++++---------------
1 file changed, 17 insertions(+), 15 deletions(-)
--
2.39.2
More information about the kernel-team
mailing list