APPLIED[L/J/HWE-5.19/F]: [SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/1] CVE-2023-3776

[Stefan Bader]

On 28.07.23 08:57, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw
> component can be exploited to achieve local privilege escalation. If
> tcf_change_indev() fails, fw_set_parms() will immediately return an error after
> incrementing or decrementing the reference counter in tcf_bind_filter(). If an
> attacker can control the reference counter and set it to zero, they can cause
> the reference to be freed, leading to a use-after-free vulnerability. We
> recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
> 
> [Fix]
> Cherry picked from upstream.
> 
> [Test case]
> Compile and boot tested only.
> 
> [Potential regression]
> All users that utilize traffic shaping might be affected. Although highly
> unlikely.
> 
> M A Ramdhan (1):
>    net/sched: cls_fw: Fix improper refcount update leads to
>      use-after-free
> 
>   net/sched/cls_fw.c | 10 +++++-----
>   1 file changed, 5 insertions(+), 5 deletions(-)
> 

Applied to lunar,jammy,focal:linux/master-next and 
jammy:linux-hwe-5.19/hwe-5.19-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230731/6a40b831/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230731/6a40b831/attachment-0001.sig>