StarlingX

[Debian] High CVE: CVE-2023-4004/CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863/CVE-2023-20593/CVE-2023-4132 kernel: multiple CVEs

Bug #2029211 reported by Yue Tao
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Peng Zhang

Bug Description

CVE-2023-4132: https://nvd.nist.gov/vuln/detail/CVE-2023-4132

A use-after-free vulnerability was found in the siano smsusb module in the Linux kernel. The bug occurs during device initialization when the siano device is plugged in. This flaw allows a local user to crash the system, causing a denial of service condition.

CVE-2023-4004: https://nvd.nist.gov/vuln/detail/CVE-2023-4004

A use-after-free flaw was found in the Linux kernel's netfilter in the way a user triggers the nft_pipapo_remove function with the element, without a NFT_SET_EXT_KEY_END. This issue could allow a local user to crash the system or potentially escalate their privileges on the system.

CVE-2023-20593: https://nvd.nist.gov/vuln/detail/CVE-2023-20593

An issue in “Zen 2” CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information.

CVE-2023-3863: https://nvd.nist.gov/vuln/detail/CVE-2023-3863

A use-after-free flaw was found in nfc_llcp_find_local in net/nfc/llcp_core.c in NFC in the Linux kernel. This flaw allows a local user with special privileges to impact a kernel information leak issue.

CVE-2023-31248: https://nvd.nist.gov/vuln/detail/CVE-2023-31248

Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

CVE-2023-35001: https://nvd.nist.gov/vuln/detail/CVE-2023-35001

Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace

CVE-2023-3117: https://nvd.nist.gov/vuln/detail/CVE-2023-3117

A use-after-free flaw was found in the Netfilter subsystem of the Linux kernel when processing named and anonymous sets in batch requests, which can lead to performing arbitrary reads and writes in kernel memory. This flaw allows a local user with CAP_NET_ADMIN capability to crash or potentially escalate their privileges on the system.

CVE-2023-3611: https://nvd.nist.gov/vuln/detail/CVE-2023-3611

An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation.

The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.

We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64.

CVE-2023-3610: https://nvd.nist.gov/vuln/detail/CVE-2023-3610

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

Flaw in the error handling of bound chains causes a use-after-free in the abort path of NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered.

We recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.

CVE-2023-3776: https://nvd.nist.gov/vuln/detail/CVE-2023-3776

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability.

We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.

CVE-2023-3390: https://nvd.nist.gov/vuln/detail/CVE-2023-3390

A use-after-free vulnerability was found in the Linux kernel's netfilter subsystem in net/netfilter/nf_tables_api.c.

Mishandled error handling with NFT_MSG_NEWRULE makes it possible to use a dangling pointer in the same transaction causing a use-after-free vulnerability. This flaw allows a local attacker with user access to cause a privilege escalation issue.

We recommend upgrading past commit 1240eb93f0616b21c675416516ff3d74798fdc97.

CVE-2023-2898: https://nvd.nist.gov/vuln/detail/CVE-2023-2898

There is a null-pointer-dereference flaw found in f2fs_write_end_io in fs/f2fs/data.c in the Linux kernel. This flaw allows a local privileged user to cause a denial of service problem.

Base Score: High

References:

Upgrade Yocto linux_5.10.188

See original description
Yue Tao (wrytao)
tags: added: stx.9.0 stx.security
Yue Tao (wrytao)
summary: [Debian] High CVE:
- CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898
+ CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863
kernel: multiple CVEs
description: updated
Yue Tao (wrytao)
summary: [Debian] High CVE:
- CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863
+ CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863/CVE-2023-20593
kernel: multiple CVEs
description: updated
Yue Tao (wrytao)
summary: [Debian] High CVE:
- CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863/CVE-2023-20593
+ CVE-2023-4004/CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863/CVE-2023-20593
kernel: multiple CVEs
description: updated
Yue Tao (wrytao)
summary: [Debian] High CVE:
- CVE-2023-4004/CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863/CVE-2023-20593
+ CVE-2023-4004/CVE-2023-31248/CVE-2023-35001/CVE-2023-3117/CVE-2023-3611/CVE-2023-3610/CVE-2023-3776/CVE-2023-3390/CVE-2023-2898/CVE-2023-3863/CVE-2023-20593/CVE-2023-4132
kernel: multiple CVEs
description: updated
Peng Zhang (pzhang2)
Changed in starlingx:
assignee: nobody → Peng Zhang (pzhang2)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kernel (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/kernel/+/895943

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kernel (master)

Reviewed: https://review.opendev.org/c/starlingx/kernel/+/895943
Committed: https://opendev.org/starlingx/kernel/commit/825266d5ac65dd181e7de3eb142eb975d2f17d29
Submitter: "Zuul (22348)"
Branch: master

commit 825266d5ac65dd181e7de3eb142eb975d2f17d29
Author: Peng Zhang <email address hidden>
Date: Sat Sep 23 01:17:16 2023 +0800

    Update kernel to v5.10.189

    This commit updates kernel to 5.10.189 to fix following CVE issue:
    CVE-2023-4132: https://nvd.nist.gov/vuln/detail/CVE-2023-4132
    CVE-2023-4004: https://nvd.nist.gov/vuln/detail/CVE-2023-4004
    CVE-2023-20593: https://nvd.nist.gov/vuln/detail/CVE-2023-20593
    CVE-2023-3863: https://nvd.nist.gov/vuln/detail/CVE-2023-3863
    CVE-2023-31248: https://nvd.nist.gov/vuln/detail/CVE-2023-31248
    CVE-2023-35001: https://nvd.nist.gov/vuln/detail/CVE-2023-35001
    CVE-2023-3117: https://nvd.nist.gov/vuln/detail/CVE-2023-3117
    CVE-2023-3611: https://nvd.nist.gov/vuln/detail/CVE-2023-3611
    CVE-2023-3610: https://nvd.nist.gov/vuln/detail/CVE-2023-3610
    CVE-2023-3776: https://nvd.nist.gov/vuln/detail/CVE-2023-3776
    CVE-2023-3390: https://nvd.nist.gov/vuln/detail/CVE-2023-3390
    CVE-2023-2898: https://nvd.nist.gov/vuln/detail/CVE-2023-2898

    One of our source patches requires refresh against the new kernel
    source. It was modified for missed parameter need be added in the
    new kernel:
           Port-negative-dentries-limit-feature-from-3.10.patch.

    After upgrading kernel, new function eth_hw_addr_set was added in
    linux-headers-5.10.0-6-common. While it has already defined in the
    following driver modules:
            i40e,i40e-cvl-4.10,iavf,iavf-cvl-4.10,ice,ice-cvl-4.10.
    To avoid the redefinition conflict, we allow the out-of-tree drivers
    to use the newly added in-tree version of the eth_hw_addr_set
    function. This is achieved by undefining the NEED_ETH_HW_ADDR_SET
    macro.

    Verification:
    - Build kernel and out of tree modules success for rt and std.
    - Build iso success for rt and std.
    - Install success onto a AIO-DX lab with rt kernel.
    - Boot up successfully in the lab.
    - The sanity testing was done by our test team and no regression
      defect was found.
    - The cyclictest benchmark was also run on the starlingx lab, the
      result is "samples: 259199999 avg: 1633 max: 8817 99.9999th
      percentile: 7612 overflows: 0", It is not big difference with
      5.10.185 for avg and max.

    Closes-Bug: 2029211

    Change-Id: I107a0c0285ad2de39d56863cc5fed6273ad7fbd4
    Signed-off-by: Peng Zhang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.