ACK: [SRU Focal,Jammy,OEM-6.1,Lunar 0/5] CVE-2023-42752
Roxana Nicolescu
roxana.nicolescu at canonical.com
Thu Sep 28 08:12:15 UTC 2023
On 27/09/2023 02:40, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> An unprivileged user may use a user/network namespace, setup a device with
> a very large MTU, trigger an IGMP packet transmission that will lead to a
> system crash. Local privilege escalation cannot be ruled out.
>
> [Test case]
> A PoC was tested and it worked on 6.1 and 6.2 kernels as they carry the
> kmalloc_reserve changes that make the PoC attack possible. After the fix,
> IGMP packets are still being transmitted, but the crash is not seen anymore.
>
> On 5.15 and 5.4 kernels, the test was still done, even though there is no crash
> without the fix. But after the fix, IGMP packets are still being transmitted.
>
> [Potential regression]
> On Focal and Jammy, IGMP may be broken. On OEM-6.1 and Lunar, other network
> workload may be broken as this touches SKB allocation.
>
> Eric Dumazet (5):
> igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
> net: add SKB_HEAD_ALIGN() helper
> net: remove osize variable in __alloc_skb()
> net: factorize code in kmalloc_reserve()
> net: deal with integer overflows in kmalloc_reserve()
>
> include/linux/skbuff.h | 8 +++++++
> net/core/skbuff.c | 49 ++++++++++++++++++------------------------
> net/ipv4/igmp.c | 3 ++-
> 3 files changed, 31 insertions(+), 29 deletions(-)
>
Acked-by: Roxana Nicolescu <roxana.nicolescu at canonical.com>
More information about the kernel-team
mailing list