[SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/2] CVE-2023-3611

Cengiz Can cengiz.can at canonical.com
Thu Jul 27 23:22:16 UTC 2023

An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq
component can be exploited to achieve local privilege escalation. The
qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write
because lmax is updated according to packet sizes without bounds checks. We
recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. 

On older kernels, the prerequisite commit cannot be cherry-picked cleanly.

With those, I decided to introduce the limiting constant inside the fixing
commit, and those commits are marked as backports.

[Test case]
Each kernel was tested with the publicly shared reproducer.

Before the fix, all of our kernels (except Focal) was crashing with the

After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the
reproducer fills up buffer space of `ping` command. This doesn't affect the
regular function of `ping` but should be investigated in the future.

[Potential regression]
All users that create traffic control rules using `tc` command might be

Pedro Tammela (2):
  net/sched: sch_qfq: refactor parsing of netlink parameters
  net/sched: sch_qfq: account for stab overhead in qfq_enqueue

 net/sched/sch_qfq.c | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)


More information about the kernel-team mailing list