| Message ID | 20230727232220.972472-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-3611 | expand |
On 7/27/23 5:22 PM, Cengiz Can wrote: > [Impact] > An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq > component can be exploited to achieve local privilege escalation. The > qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write > because lmax is updated according to packet sizes without bounds checks. We > recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. > > [Fix] > On older kernels, the prerequisite commit cannot be cherry-picked cleanly. > > With those, I decided to introduce the limiting constant inside the fixing > commit, and those commits are marked as backports. > > [Test case] > Each kernel was tested with the publicly shared reproducer. > > Before the fix, all of our kernels (except Focal) was crashing with the > reproducer. > > After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the > reproducer fills up buffer space of `ping` command. This doesn't affect the > regular function of `ping` but should be investigated in the future. > > [Potential regression] > All users that create traffic control rules using `tc` command might be > affected. > > Pedro Tammela (2): > net/sched: sch_qfq: refactor parsing of netlink parameters > net/sched: sch_qfq: account for stab overhead in qfq_enqueue > > net/sched/sch_qfq.c | 32 +++++++++++++++++--------------- > 1 file changed, 17 insertions(+), 15 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
On 28.07.23 01:22, Cengiz Can wrote: > [Impact] > An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq > component can be exploited to achieve local privilege escalation. The > qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write > because lmax is updated according to packet sizes without bounds checks. We > recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. > > [Fix] > On older kernels, the prerequisite commit cannot be cherry-picked cleanly. > > With those, I decided to introduce the limiting constant inside the fixing > commit, and those commits are marked as backports. > > [Test case] > Each kernel was tested with the publicly shared reproducer. > > Before the fix, all of our kernels (except Focal) was crashing with the > reproducer. > > After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the > reproducer fills up buffer space of `ping` command. This doesn't affect the > regular function of `ping` but should be investigated in the future. > > [Potential regression] > All users that create traffic control rules using `tc` command might be > affected. > > Pedro Tammela (2): > net/sched: sch_qfq: refactor parsing of netlink parameters > net/sched: sch_qfq: account for stab overhead in qfq_enqueue > > net/sched/sch_qfq.c | 32 +++++++++++++++++--------------- > 1 file changed, 17 insertions(+), 15 deletions(-) > Applied to lunar,jammy,focal:linux/master-next and jammy:linux-hwe-5.19/hwe-5.19-next. Thanks. -Stefan
Cengiz Can kirjoitti 28.7.2023 klo 2.22: > [Impact] > An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq > component can be exploited to achieve local privilege escalation. The > qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write > because lmax is updated according to packet sizes without bounds checks. We > recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. > > [Fix] > On older kernels, the prerequisite commit cannot be cherry-picked cleanly. > > With those, I decided to introduce the limiting constant inside the fixing > commit, and those commits are marked as backports. > > [Test case] > Each kernel was tested with the publicly shared reproducer. > > Before the fix, all of our kernels (except Focal) was crashing with the > reproducer. > > After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the > reproducer fills up buffer space of `ping` command. This doesn't affect the > regular function of `ping` but should be investigated in the future. > > [Potential regression] > All users that create traffic control rules using `tc` command might be > affected. > > Pedro Tammela (2): > net/sched: sch_qfq: refactor parsing of netlink parameters > net/sched: sch_qfq: account for stab overhead in qfq_enqueue > > net/sched/sch_qfq.c | 32 +++++++++++++++++--------------- > 1 file changed, 17 insertions(+), 15 deletions(-) > applied to oem-5.17, -6.0, thanks