[SRU,OEM-5.14,0/2,OEM-5.17,0/1] CVE-2022-3586

Message ID	20230421012921.33113-1-cengiz.can@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Cengiz Can <cengiz.can@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU OEM-5.14 0/2, OEM-5.17 0/1] CVE-2022-3586 Date: Fri, 21 Apr 2023 04:29:19 +0300 Message-Id: <20230421012921.33113-1-cengiz.can@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2022-3586 \| expand [SRU,OEM-5.14,0/2,OEM-5.17,0/1] CVE-2022-3586 [SRU,OEM-5.14,1/2] sch_sfb: Don't assume the skb is still around after enqueueing to child [SRU,OEM-5.14,2/2,OEM-5.17,1/1] sch_sfb: Also store skb len before calling child enqueue

Message ID

20230421012921.33113-1-cengiz.can@canonical.com

Headers

From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-5.14 0/2, OEM-5.17 0/1] CVE-2022-3586
Date: Fri, 21 Apr 2023 04:29:19 +0300
Message-Id: <20230421012921.33113-1-cengiz.can@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2022-3586 | expand

Message

Cengiz Can April 21, 2023, 1:29 a.m. UTC

[Impact]
A flaw was found in the Linux kernel’s networking code. A use-after-free was
found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb
field after the same SKB had been enqueued (and freed) into a child qdisc.
This flaw allows a local, unprivileged user to crash the system, causing a
denial of service.

[Fix]
Clean cherry picks from upstream.

Please do note that OEM-5.17 already has commit 9efd23297cca ("sch_sfb: Don't
assume the skb is still around after enqueueing to child") thus excluded from
patchset.

[Test case]
Boot and basic network functionality tested with ntop and wget.

[Potential regression]
Low. Fix has been in other kernels for quite a while now.

Toke Høiland-Jørgensen (2):
  sch_sfb: Don't assume the skb is still around after enqueueing to
    child
  sch_sfb: Also store skb len before calling child enqueue

 net/sched/sch_sfb.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--
2.37.2

Comments

Andrei Gherzan April 21, 2023, 11:06 a.m. UTC | #1

On 23/04/21 04:29AM, Cengiz Can wrote:
> [Impact]
> A flaw was found in the Linux kernel’s networking code. A use-after-free was
> found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb
> field after the same SKB had been enqueued (and freed) into a child qdisc.
> This flaw allows a local, unprivileged user to crash the system, causing a
> denial of service.
> 
> [Fix]
> Clean cherry picks from upstream.
> 
> Please do note that OEM-5.17 already has commit 9efd23297cca ("sch_sfb: Don't
> assume the skb is still around after enqueueing to child") thus excluded from
> patchset.
> 
> [Test case]
> Boot and basic network functionality tested with ntop and wget.
> 
> [Potential regression]
> Low. Fix has been in other kernels for quite a while now.
> 
> Toke Høiland-Jørgensen (2):
>   sch_sfb: Don't assume the skb is still around after enqueueing to
>     child
>   sch_sfb: Also store skb len before calling child enqueue
> 
>  net/sched/sch_sfb.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> --
> 2.37.2

Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>

Cory Todd April 21, 2023, 7:33 p.m. UTC | #2

On Fri, Apr 21, 2023 at 04:29:19AM +0300, Cengiz Can wrote:
> [Impact]
> A flaw was found in the Linux kernel’s networking code. A use-after-free was
> found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb
> field after the same SKB had been enqueued (and freed) into a child qdisc.
> This flaw allows a local, unprivileged user to crash the system, causing a
> denial of service.
> 
> [Fix]
> Clean cherry picks from upstream.
> 
> Please do note that OEM-5.17 already has commit 9efd23297cca ("sch_sfb: Don't
> assume the skb is still around after enqueueing to child") thus excluded from
> patchset.
> 
> [Test case]
> Boot and basic network functionality tested with ntop and wget.
> 
> [Potential regression]
> Low. Fix has been in other kernels for quite a while now.
> 
> Toke Høiland-Jørgensen (2):
>   sch_sfb: Don't assume the skb is still around after enqueueing to
>     child
>   sch_sfb: Also store skb len before calling child enqueue
> 
>  net/sched/sch_sfb.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> --
> 2.37.2

Acked-by: Cory Todd <cory.todd@canonical.com>

Timo Aaltonen April 27, 2023, 9:52 a.m. UTC | #3

Cengiz Can kirjoitti 21.4.2023 klo 4.29:
> [Impact]
> A flaw was found in the Linux kernel’s networking code. A use-after-free was
> found in the way the sch_sfb enqueue function used the socket buffer (SKB) cb
> field after the same SKB had been enqueued (and freed) into a child qdisc.
> This flaw allows a local, unprivileged user to crash the system, causing a
> denial of service.
> 
> [Fix]
> Clean cherry picks from upstream.
> 
> Please do note that OEM-5.17 already has commit 9efd23297cca ("sch_sfb: Don't
> assume the skb is still around after enqueueing to child") thus excluded from
> patchset.
> 
> [Test case]
> Boot and basic network functionality tested with ntop and wget.
> 
> [Potential regression]
> Low. Fix has been in other kernels for quite a while now.
> 
> Toke Høiland-Jørgensen (2):
>    sch_sfb: Don't assume the skb is still around after enqueueing to
>      child
>    sch_sfb: Also store skb len before calling child enqueue
> 
>   net/sched/sch_sfb.c | 13 ++++++++-----
>   1 file changed, 8 insertions(+), 5 deletions(-)
> 
> --
> 2.37.2
> 
> 

applied to oem-5.17, thanks. 5.14 is EOL