ACK: [SRU][F/J/L][PATCH 0/1] CVE-2023-4921
Tim Gardner
tim.gardner at canonical.com
Wed Sep 27 12:16:13 UTC 2023
On 9/26/23 4:44 PM, Yuxuan Luo wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq
> component can be exploited to achieve local privilege escalation. When the
> plug qdisc is used as a class of the qfq qdisc, sending network packets
> triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler
> of sch_plug and lack of error checking in agg_dequeue(). We recommend
> upgrading past commit 8fc134fee27f2263988ae38920bc03da416b03d8.
>
> [Backport]
> It is a clean cherry pick.
>
> [Test]
> Tested against the proof of concept. Note that the bug report generated
> by the PoC is expected, as discussed in the [mailing
> list](https://lore.kernel.org/all/39597d43-7522-38e7-1b37-82c4a84158aa@mojatatu.com/).
>
> [Potential Regression]
> Expect relatively low regression potential as it has been backported to
> multiple stable branches.
>
> valis (1):
> net: sched: sch_qfq: Fix UAF in qfq_dequeue()
>
> net/sched/sch_plug.c | 2 +-
> net/sched/sch_qfq.c | 22 +++++++++++++++++-----
> 2 files changed, 18 insertions(+), 6 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list