APPLIED[L/J/F/HWE-5.19]: [SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/2] CVE-2023-3611

Stefan Bader stefan.bader at canonical.com
Thu Aug 3 16:21:23 UTC 2023 

On 28.07.23 01:22, Cengiz Can wrote:
> [Impact]
> An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq
> component can be exploited to achieve local privilege escalation. The
> qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write
> because lmax is updated according to packet sizes without bounds checks. We
> recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
> 
> [Fix]
> On older kernels, the prerequisite commit cannot be cherry-picked cleanly.
> 
> With those, I decided to introduce the limiting constant inside the fixing
> commit, and those commits are marked as backports.
> 
> [Test case]
> Each kernel was tested with the publicly shared reproducer.
> 
> Before the fix, all of our kernels (except Focal) was crashing with the
> reproducer.
> 
> After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the
> reproducer fills up buffer space of `ping` command. This doesn't affect the
> regular function of `ping` but should be investigated in the future.
> 
> [Potential regression]
> All users that create traffic control rules using `tc` command might be
> affected.
> 
> Pedro Tammela (2):
>    net/sched: sch_qfq: refactor parsing of netlink parameters
>    net/sched: sch_qfq: account for stab overhead in qfq_enqueue
> 
>   net/sched/sch_qfq.c | 32 +++++++++++++++++---------------
>   1 file changed, 17 insertions(+), 15 deletions(-)
> 

Applied to lunar,jammy,focal:linux/master-next and 
jammy:linux-hwe-5.19/hwe-5.19-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230803/4be01e9c/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230803/4be01e9c/attachment-0001.sig>

More information about the kernel-team mailing list