[LTS 9.2 RT] CVE-2023-4206, CVE-2023-4207, CVE-2023-4208 #159
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…fter-free jira VULN-6657 cve CVE-2023-4207 commit-author valis <[email protected]> commit 76e42ae When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: e35a8ee ("net: sched: fw use RCU") Reported-by: valis <[email protected]> Reported-by: Bing-Jhong Billy Jheng <[email protected]> Signed-off-by: valis <[email protected]> Signed-off-by: Jamal Hadi Salim <[email protected]> Reviewed-by: Victor Nogueira <[email protected]> Reviewed-by: Pedro Tammela <[email protected]> Reviewed-by: M A Ramdhan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 76e42ae) Signed-off-by: Marcin Wcisło <[email protected]>
…after-free jira VULN-6664 cve CVE-2023-4208 commit-author valis <[email protected]> commit 3044b16 When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. Fix this by no longer copying the tcf_result struct from the old filter. Fixes: de5df63 ("net: sched: cls_u32 changes to knode must appear atomic to readers") Reported-by: valis <[email protected]> Reported-by: M A Ramdhan <[email protected]> Signed-off-by: valis <[email protected]> Signed-off-by: Jamal Hadi Salim <[email protected]> Reviewed-by: Victor Nogueira <[email protected]> Reviewed-by: Pedro Tammela <[email protected]> Reviewed-by: M A Ramdhan <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 3044b16) Signed-off-by: Marcin Wcisło <[email protected]>
bmastbergen
approved these changes
Mar 13, 2025
There was a problem hiding this comment.
I agree with the logic that CVE-2023-4206 isn't applicable due to the config. But I would have been ok with applying the change anyway since its so simple.
🥌
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.2 RT]
CVE-2023-4206 VULN-6650
CVE-2023-4207 VULN-6657
CVE-2023-4208 VULN-6664
Problem
The PR addresses a series of related CVEs, which were once listed under a single CVE-2023-4128. From https://lore.kernel.org/netdev/[email protected]/:
Each CVE is related to a different classifier:
Analysis and solution
Official fixes
The official fixes for each of the vulnerabilities are as follows:
Applicability
The CVE-2023-4206 is not applicable to the LTS 9.2 RT from the configuration standpoint, as the
route4classifier is disabled by default. Other CVEs are applicable.Analysis
For the discussion of the validity of a fix based on simply ignoring a certain field while copying a data structure where the actual copy may be expected see analysis for LTS 8.6 RT Pull Request - it was not repeated for the LTS 9.2 RT version. (Note that the doubts raised there about keeping
tcindexfilter don't apply to this version as this filter is disabled in LTS 9.2 RT configuration.)kABI check: omitted (unstable ABI of RT kernels)
Boot test: passed
boot-test.log
Kselftests: passed relative
Methodology
A mix of
kernel-selftests-internaland source-compiled tests were used:kernel-selftests-internal:bpftests, except:bpf:test_kmod.sh: takes very long time to finish and always fails anyway,bpf:test_progs: unstable, can crash the machine,bpf:test_progs-no_alu32: unstable, can crash the machine.Coverage (including tests skipped during execution)
bpf,breakpoints,capabilities,clone3,core,cpu-hotplug,cpufreq,drivers/dma-buf,drivers/net/bonding,drivers/net/team,efivarfs,filesystems,filesystems/binderfs,filesystems/epoll,firmware,fpu,ftrace,futex,gpio,intel_pstate,ipc,ir,kcmp,kvm,landlock,lib,livepatch,membarrier,memfd,memory-hotplug,mincore,mount,mqueue,nci,net,net/forwarding,net/mptcp,netfilter,nsfs,openat2,pid_namespace,pidfd,pstore,ptrace,rlimits,rseq,rtc,seccomp,sgx,sigaltstack,size,splice,static_keys,sync,syscall_user_dispatch,sysctl,tc-testing,tdx,timens,timers,tmpfs,tpm2,user,vDSO,vm,x86,zramReference
Three test runs were conducted on the reference kernel.
kselftests–mix–ciqlts9_2-rt–run1.log
kselftests–mix–ciqlts9_2-rt–run2.log
kselftests–mix–ciqlts9_2-rt–run3.log
Patch
A single test run was conducted on the patched kernel.
kselftests–mix–ciqlts9_2-rt-CVE-2023-4206.4207.4208–run1.log
Comparison
The tests
bpf:test_tcpnotify_user,kvm:tsc_scaling_syncwere known to give inconsistent results before.The test
rtc:rtctestwas known to give inconsistent results before, although only forciqlts9_2- added to the list of flappy tests forciqlts9_2-rt.The test
net:udpgso_bench.shshown inconsistent behavior within the reference suite - added to the list of flappy tests forciqlts9_2-rt.Because of the
net:udpgso_bench.sh,timers:raw_skewtest results thenetandtimerssuites were repeated additional two times on the patched kernelkselftests-net-timers–src–ciqlts9_2-rt-CVE-2023-4206.4207.4208–run1.log
kselftests-net-timers–src–ciqlts9_2-rt-CVE-2023-4206.4207.4208–run2.log
The
net:udpgso_bench.shpassed the new run, suggesting that the test may be unstable.The
timers:raw_skewachieved a passing run on the patched kernel. It's unlikely that the patch introduced instabilitiy to this test as the change was not at all related to timers, rather the test itself should be noted to be unstable for future testing.The
net:altnames.shtest passed while it was being skipped before because of thejqtool installed on the testing machines in the meantime.Kselftests (networking): passed relative
Methodology
In general kselftests all the
net/forwardingtests fail (really should be skipped) because of the missing tool dependenciesBecause the patch deals with networking specifically, an additional batch of tests was carried out after solving the test requirements issues.
The
tools/testing/selftests/net/forwarding/forwarding.configfile used was created directly from thetools/testing/selftests/net/forwarding/forwarding.config.sample.Reference
Three test runs were conducted on the reference kernel.
kselftests-net-forwarding–src–ciqlts9_2-rt–run1.log
kselftests-net-forwarding–src–ciqlts9_2-rt–run2.log
kselftests-net-forwarding–src–ciqlts9_2-rt–run3.log
Patch
A single test run was conducted on the patched kernel.
kselftests-net-forwarding–src–ciqlts9_2-rt-CVE-2023-4206.4207.4208–run1.log
Comparison and discussion
Results for the reference and patched kernel are the same.
The list of
net/forwardingtests performed is not exhaustive (66 / 92). Thenet/forwarding:sch_ets.shtest executed right afternet/forwarding:router_vid_1.shcauses the machine to hang for more than 10 minutes and the used testing framework interrupts the test suite.The fix for the problem was deferred to another CVE for the sake of patching efficiency.