[SRU,F/J/L,0/1] CVE-2023-42754

Message ID	20231018224913.62418-1-yuxuan.luo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Yuxuan Luo <yuxuan.luo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][F/J/L][PATCH 0/1] CVE-2023-42754 Date: Wed, 18 Oct 2023 18:49:12 -0400 Message-Id: <20231018224913.62418-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-42754 \| expand [SRU,F/J/L,0/1] CVE-2023-42754 [SRU,F/J/L,1/1] ipv4: fix null-deref in ipv4_link_failure

Message ID

20231018224913.62418-1-yuxuan.luo@canonical.com

Headers

From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F/J/L][PATCH 0/1] CVE-2023-42754
Date: Wed, 18 Oct 2023 18:49:12 -0400
Message-Id: <20231018224913.62418-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-42754 | expand

Message

Yuxuan Luo Oct. 18, 2023, 10:49 p.m. UTC

[Impact]
A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack.
The socket buffer (skb) was assumed to be associated with a device before
calling __ip_options_compile, which is not always the case if the skb is
re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN
privileges to crash the system.

[Backport]
It's a clean backport.

[Test]
Tested against [the poc](https://vuldb.com/?exploit_url.241116) with
privilege since the exploit requires it.

[Potential Regression]
Expect very low regression potential.


Kyle Zeng (1):
  ipv4: fix null-deref in ipv4_link_failure

 net/ipv4/route.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

Comments

Thadeu Lima de Souza Cascardo Oct. 18, 2023, 11:01 p.m. UTC | #1

This is also needed on Mantic, 6.5.

Cascardo.

Stefan Bader Oct. 19, 2023, 8:19 a.m. UTC | #2

On 19.10.23 00:49, Yuxuan Luo wrote:
> [Impact]
> A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack.
> The socket buffer (skb) was assumed to be associated with a device before
> calling __ip_options_compile, which is not always the case if the skb is
> re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN
> privileges to crash the system.
> 
> [Backport]
> It's a clean backport.
> 
> [Test]
> Tested against [the poc](https://vuldb.com/?exploit_url.241116) with
> privilege since the exploit requires it.
> 
> [Potential Regression]
> Expect very low regression potential.
> 
> 
> Kyle Zeng (1):
>    ipv4: fix null-deref in ipv4_link_failure
> 
>   net/ipv4/route.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 

For Mantic as well

Acked-by: Stefan Bader <stefan.bader@canonical.com>

Tim Gardner Oct. 19, 2023, 12:50 p.m. UTC | #3

On 10/18/23 4:49 PM, Yuxuan Luo wrote:
> [Impact]
> A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack.
> The socket buffer (skb) was assumed to be associated with a device before
> calling __ip_options_compile, which is not always the case if the skb is
> re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN
> privileges to crash the system.
> 
> [Backport]
> It's a clean backport.
> 
> [Test]
> Tested against [the poc](https://vuldb.com/?exploit_url.241116) with
> privilege since the exploit requires it.
> 
> [Potential Regression]
> Expect very low regression potential.
> 
> 
> Kyle Zeng (1):
>    ipv4: fix null-deref in ipv4_link_failure
> 
>   net/ipv4/route.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

For Mantic too

Stefan Bader Oct. 20, 2023, 8:43 a.m. UTC | #4

On 19.10.23 00:49, Yuxuan Luo wrote:
> [Impact]
> A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack.
> The socket buffer (skb) was assumed to be associated with a device before
> calling __ip_options_compile, which is not always the case if the skb is
> re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN
> privileges to crash the system.
> 
> [Backport]
> It's a clean backport.
> 
> [Test]
> Tested against [the poc](https://vuldb.com/?exploit_url.241116) with
> privilege since the exploit requires it.
> 
> [Potential Regression]
> Expect very low regression potential.
> 
> 
> Kyle Zeng (1):
>    ipv4: fix null-deref in ipv4_link_failure
> 
>   net/ipv4/route.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 

Applied to lunar,jammy:linux/master-next. Thanks.

-Stefan

Stefan Bader Oct. 25, 2023, 1:15 p.m. UTC | #5

On 19.10.23 00:49, Yuxuan Luo wrote:
> [Impact]
> A NULL pointer dereference flaw was found in the Linux kernel ipv4 stack.
> The socket buffer (skb) was assumed to be associated with a device before
> calling __ip_options_compile, which is not always the case if the skb is
> re-routed by ipvs. This issue may allow a local user with CAP_NET_ADMIN
> privileges to crash the system.
> 
> [Backport]
> It's a clean backport.
> 
> [Test]
> Tested against [the poc](https://vuldb.com/?exploit_url.241116) with
> privilege since the exploit requires it.
> 
> [Potential Regression]
> Expect very low regression potential.
> 
> 
> Kyle Zeng (1):
>    ipv4: fix null-deref in ipv4_link_failure
> 
>   net/ipv4/route.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 

Applied to mantic,focal:linux/master-next. Thanks.

-Stefan