ACK: [SRU Focal/Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/2] CVE-2023-3611

[Tim Gardner]

On 7/27/23 5:22 PM, Cengiz Can wrote:
> [Impact]
> An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq
> component can be exploited to achieve local privilege escalation. The
> qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write
> because lmax is updated according to packet sizes without bounds checks. We
> recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.
> 
> [Fix]
> On older kernels, the prerequisite commit cannot be cherry-picked cleanly.
> 
> With those, I decided to introduce the limiting constant inside the fixing
> commit, and those commits are marked as backports.
> 
> [Test case]
> Each kernel was tested with the publicly shared reproducer.
> 
> Before the fix, all of our kernels (except Focal) was crashing with the
> reproducer.
> 
> After the fix, some kernels (Kinetic, OEM-5.17 and Lunar) do not crash but the
> reproducer fills up buffer space of `ping` command. This doesn't affect the
> regular function of `ping` but should be investigated in the future.
> 
> [Potential regression]
> All users that create traffic control rules using `tc` command might be
> affected.
> 
> Pedro Tammela (2):
>    net/sched: sch_qfq: refactor parsing of netlink parameters
>    net/sched: sch_qfq: account for stab overhead in qfq_enqueue
> 
>   net/sched/sch_qfq.c | 32 +++++++++++++++++---------------
>   1 file changed, 17 insertions(+), 15 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc