[SRU Focal,Jammy,OEM-6.1,Lunar 0/5] CVE-2023-42752
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Wed Sep 27 00:40:20 UTC 2023
[Impact]
An unprivileged user may use a user/network namespace, setup a device with
a very large MTU, trigger an IGMP packet transmission that will lead to a
system crash. Local privilege escalation cannot be ruled out.
[Test case]
A PoC was tested and it worked on 6.1 and 6.2 kernels as they carry the
kmalloc_reserve changes that make the PoC attack possible. After the fix,
IGMP packets are still being transmitted, but the crash is not seen anymore.
On 5.15 and 5.4 kernels, the test was still done, even though there is no crash
without the fix. But after the fix, IGMP packets are still being transmitted.
[Potential regression]
On Focal and Jammy, IGMP may be broken. On OEM-6.1 and Lunar, other network
workload may be broken as this touches SKB allocation.
Eric Dumazet (5):
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
net: add SKB_HEAD_ALIGN() helper
net: remove osize variable in __alloc_skb()
net: factorize code in kmalloc_reserve()
net: deal with integer overflows in kmalloc_reserve()
include/linux/skbuff.h | 8 +++++++
net/core/skbuff.c | 49 ++++++++++++++++++------------------------
net/ipv4/igmp.c | 3 ++-
3 files changed, 31 insertions(+), 29 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list