APPLIED[L]/REJECTED[J/F]: [SRU][F/J/L][PATCH 0/1] CVE-2023-3609
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Fri Aug 4 20:04:36 UTC 2023
On Fri, Aug 04, 2023 at 10:55:35AM +0200, Stefan Bader wrote:
> On 03.08.23 20:43, Yuxuan Luo wrote:
> > [Impact]
> > A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32
> > component can be exploited to achieve local privilege escalation. If
> > tcf_change_indev() fails, u32_set_parms() will immediately return an
> > error after incrementing or decrementing the reference counter in
> > tcf_bind_filter(). If an attacker can control the reference counter and
> > set it to zero, they can cause the reference to be freed, leading to a
> > use-after-free vulnerability.
> >
> > [Backport]
> > Clean cherry pick.
> >
> > [Test]
> > Smoke tested via adding an u32 filter to a dummy device using `tc`.
> >
> > [Potential Regression]
> > Expect very low regression.
> >
> > Lee Jones (1):
> > net/sched: cls_u32: Fix reference counter leak leading to overflow
> >
> > net/sched/cls_u32.c | 18 ++++++++++--------
> > 1 file changed, 10 insertions(+), 8 deletions(-)
> >
> This patch does not apply to Jammy because of missing
>
> v5.17 c86e0209dc77 flow_offload: validate flags of filter and actions
>
I think you meant that in this case tcf_exts_validate/tcf_exts_validate_ex
changes the context here. Therefore, the patch cannot be applied.
Talking to Yuxuan, there has been some confusion when sending the patches. It
is a clean cherry-pick on jammy, since cherry-pick can adjust to the context
change. Not git-am, though.
> in addition the function tcf_change_indev(), which is added by the patch,
> changed number of arguments with
>
> v4.16 c86e0209dc77 flow_offload: validate flags of filter and actions
>
Not sure what relation v4.16 has to Focal, which is 5.4. And this is the same
commit as above. Yet, I see another change between 5.4 and 5.15 on that same
context, on the arguments for tcf_exts_validate, not tfc_change_indev.
Same thing applies here, a clean cherry-pick works, git-am of the same patch as
the one applied to 6.2 doesn't.
Yuxuan, you should resubmit applicable patches for both Jammy and Focal. They
should be different ones, since their context is different.
Alas, git am --3way would have worked here in both cases. It's just that one
cannot always be sure if that would have produced the result intended by the
submitter.
Cascardo.
> so Focal would FTBS with this.
>
> Applied to lunar:linux/master-next. Thanks.
>
> -Stefan
>
More information about the kernel-team
mailing list