Bug 1215150 (CVE-2023-42753)

Summary: VUL-0: CVE-2023-42753: kernel-source: slab-out-of-bound access in the Linux kernel
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: abergmann, denis.kirjanov, meissner, mkubecek, pmladek, rfrohl
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/377730/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1218613    

Comment 2 Gianluca Gabrielli 2023-09-11 07:25:06 UTC 
this is in upstream as https://git.kernel.org/linus/050d91c03b28ca479df13dfb02bcd2c60dd6a878
Comment 3 Gianluca Gabrielli 2023-09-11 07:26:56 UTC 
Affected branches:
 - SLE15-SP4
 - cve/linux-4.12
 - cve/linux-4.4
 - cve/linux-5.3
 - stable
Comment 4 Petr Mladek 2023-09-11 11:07:56 UTC 
Michal, this seems to be in your area.
Comment 5 Gianluca Gabrielli 2023-09-11 11:31:52 UTC 
*** Bug 1215147 has been marked as a duplicate of this bug. ***
Comment 7 Michal Kubeček 2023-09-11 13:02:25 UTC 
(In reply to Gianluca Gabrielli from comment #3)
> Affected branches:
>  - SLE15-SP4
>  - cve/linux-4.12
>  - cve/linux-4.4
>  - cve/linux-5.3
>  - stable

Are you sure? AFAICS the issue was introduced in mainline 4.20 by commit
886503f34d63 ("netfilter: ipset: actually allow allowable CIDR 0 in
hash:net,port,net") which was backported only into SLE12-SP3-LTSS
(via 4.4.165 stable update). Thus the targets should rather be

  stable
  SLE15-SP6
  SLE15-SP4
  cve/linux-5.3
  SLE12-SP3-LTSS
Comment 8 Gianluca Gabrielli 2023-09-11 14:05:45 UTC 
(In reply to Michal Kubeček from comment #7)
> (In reply to Gianluca Gabrielli from comment #3)
> > Affected branches:
> >  - SLE15-SP4
> >  - cve/linux-4.12
> >  - cve/linux-4.4
> >  - cve/linux-5.3
> >  - stable
> 
> Are you sure? AFAICS the issue was introduced in mainline 4.20 by commit
> 886503f34d63 ("netfilter: ipset: actually allow allowable CIDR 0 in
> hash:net,port,net") which was backported only into SLE12-SP3-LTSS
> (via 4.4.165 stable update). Thus the targets should rather be
> 
>   stable
>   SLE15-SP6
>   SLE15-SP4
>   cve/linux-5.3

Yes, you are right. My script confirm your statement:

```
> git find-commit 886503f34d63
919560afc21f netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
186642845b02 netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
0d5d0b5c41f7 netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
cb3e590df429 netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
        stable
517fa0345516 - Linux 4.19.5 (bnc#1012628).
        stable
5b2159beadc8 - Linux 4.4.165 (bnc#1012382).
886503f34d63 netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net
        SLE15-SP4
        SLE15-SP6
        cve/linux-5.3
        stable
050d91c03b28 netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
```

>   SLE12-SP3-LTSS

Is this branch something we should monitor for security fixes? Looking at this graph [0] I don't see it framed with the bold black line.


[0] https://kerncvs.suse.de/
Comment 9 Michal Kubeček 2023-09-11 14:14:31 UTC 
(In reply to Gianluca Gabrielli from comment #8)
> (In reply to Michal Kubeček from comment #7)
> >   SLE12-SP3-LTSS
> 
> Is this branch something we should monitor for security fixes? Looking at
> this graph [0] I don't see it framed with the bold black line.

It is not framed because normally SLE12-SP3-LTSS inherits CVE fixes from
cve/linux-4.4. But in this case the offending commit was backported only
to SLE12-SP3-LTSS and not into other 4.4 based branches so that the fix
should to be submitted directly into SLE12-SP3-LTSS rather than via
cve/linux-4.4.
Comment 15 Gianluca Gabrielli 2023-09-27 06:35:37 UTC 
Public on osss ML
-----------------

From: Kyle Zeng.

Hi there,

I recently found an array indexing vulnerability in the netfilter
ipset subsystem in Linux, which I believe is exploitable in some
systems because of its nature to increment/decrement pointers
out-of-bound.

I confirm that this bug affects at least upstream, 6.1, 5.15, and 5.10.

[Root Cause]
The root cause of the vulnerability is a missing IP_SET_HASH_WITH_NET0
macro in `ip_set_hash_netportnet`, which leads it to use the wrong
wrong `CIDR_POS(c)` macro for calulating array offsets.

More specifically, IP_SET_HASH_WITH_NET0 decides how to calculate the
the index to access `h->nets`.
~~~
#ifdef IP_SET_HASH_WITH_NET0
/* cidr from 0 to HOST_MASK value and c = cidr + 1 */
#define NLEN                    (HOST_MASK + 1)
#define CIDR_POS(c)             ((c) - 1)
#else
/* cidr from 1 to HOST_MASK value and c = cidr + 1 */
#define NLEN                    HOST_MASK
#define CIDR_POS(c)             ((c) - 2)
#endif
~~~
Previously when IP_SET_HASH_WITH_NET0 was missing, users can pass in
a cidr == 0, which leads to `NCIDR_PUT(DCIDR_GET(d->cidr, i))` in
`hash_netportnet6_add` (generated by `mtype_add`) resolved to 1. This
will lead to `cidr=1` passed to `hash_netportnet6_add_cidr` (generated
by `mtype_add_cidr`). And finally, depending on the compiler,
`CIDR_POS(cidr)` may be resolved to one of (-1, 0xff, 0xffffffff),
leading to out-of-bound access in `h->nets[CIDR_POS(cidr)].nets[n]`.

Notice that `cidr`'s type is `u8`, which means the expected value here
is 0xff. But depending on the compiler, it can be resolved to different
values. Vegard Nossum let me know that they could only make it -1
indexing on amd64 systems. I expect the value to be different on
different architectures. In the worst case, it can lead to
slab-out-of-bound access, which is likely exploitable as demonstrated
as follows.

[Severity]

mtype_add_cidr/mtype_del_cidr contain snippets like the following:
~~~
static void
mtype_add_cidr(...)
{
        ...
        h->nets[CIDR_POS(cidr)].nets[n]++;
        ...
}

static void
mtype_del_cidr(...)
{
        ...
        h->nets[CIDR_POS(cidr)].nets[n]--;
        ...
}
~~~
This provides attackers with the primitive to
arbitrarily increment/decrement a memory out-of-bound, which is likely
exploitable.
For example, attackers can manipulate a buffer pointer to obtain OOB
read/write primitive; or increase the length of a buffer, to read/write
out of bound.

[Patch]
I already contacted the linux kernel security and a patch can be found
here: https://git.kernel.org/linus/050d91c03b28ca479df13dfb02bcd2c60dd6a878
Comment 16 Michal Kubeček 2023-10-04 07:57:53 UTC 
introduced      886503f34d63    4.20-rc2
fixed           050d91c03b28    6.6-rc1

The offending commit has been also backported to SLE12-SP3-LTSS (but not
other 4.4 based branches or any 4.12 based). The fix has ben submitted to
all relevant branches:

stable          6.5.3           (references updated)
SLE15-SP6       695ac3b472c2    (merged)
SLE15-SP4       7a6be79463f9    (merged)
cve/linux-5.3   c0f449e04a54    (merged)
SLE12-SP3-LTSS  c6b28fffcf1d

Reassigning back to security team.
Comment 29 Maintenance Automation 2023-10-10 16:35:23 UTC 
SUSE-SU-2023:4030-1: An update that solves 13 vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1207036, 1208995, 1210169, 1210643, 1212703, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299
CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-23454, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921
Sources used:
SUSE Linux Enterprise Live Patching 15-SP2 (src): kernel-livepatch-SLE15-SP2_Update_41-1-150200.5.3.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): kernel-obs-build-5.3.18-150200.24.166.1, kernel-source-5.3.18-150200.24.166.1, kernel-default-base-5.3.18-150200.24.166.1.150200.9.83.1, kernel-syms-5.3.18-150200.24.166.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Maintenance Automation 2023-10-12 12:46:33 UTC 
SUSE-SU-2023:4058-1: An update that solves 18 vulnerabilities, contains three features and has 71 security fixes can now be installed.

Category: security (important)
Bug References: 1065729, 1152472, 1187236, 1201284, 1202845, 1206453, 1208995, 1210169, 1210643, 1210658, 1212639, 1212703, 1213123, 1213534, 1213808, 1214022, 1214037, 1214040, 1214233, 1214351, 1214479, 1214543, 1214635, 1214813, 1214873, 1214928, 1214940, 1214941, 1214942, 1214943, 1214944, 1214945, 1214946, 1214947, 1214948, 1214949, 1214950, 1214951, 1214952, 1214953, 1214954, 1214955, 1214957, 1214958, 1214959, 1214961, 1214962, 1214963, 1214964, 1214965, 1214966, 1214967, 1214986, 1214988, 1214990, 1214991, 1214992, 1214993, 1214995, 1214997, 1214998, 1215115, 1215117, 1215123, 1215124, 1215148, 1215150, 1215221, 1215275, 1215322, 1215467, 1215523, 1215581, 1215752, 1215858, 1215860, 1215861, 1215875, 1215877, 1215894, 1215895, 1215896, 1215899, 1215911, 1215915, 1215916, 1215941, 1215956, 1215957
CVE References: CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-37453, CVE-2023-39192, CVE-2023-39193, CVE-2023-39194, CVE-2023-40283, CVE-2023-4155, CVE-2023-42753, CVE-2023-42754, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921, CVE-2023-5345
Jira References: PED-1549, PED-2023, PED-2025
Sources used:
openSUSE Leap 15.5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1
Public Cloud Module 15-SP5 (src): kernel-source-azure-5.14.21-150500.33.20.1, kernel-syms-azure-5.14.21-150500.33.20.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Maintenance Automation 2023-10-17 16:30:23 UTC 
SUSE-SU-2023:4095-1: An update that solves 14 vulnerabilities and has eight security fixes can now be installed.

Category: security (important)
Bug References: 1176588, 1202845, 1207036, 1207270, 1208995, 1210169, 1210643, 1210658, 1212703, 1213812, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299, 1215322, 1215356
CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-23454, CVE-2023-4004, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921
Sources used:
SUSE Linux Enterprise Live Patching 15-SP3 (src): kernel-livepatch-SLE15-SP3_Update_37-1-150300.7.5.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Manager Proxy 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Manager Retail Branch Server 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Manager Server 4.2 (src): kernel-source-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Enterprise Storage 7.1 (src): kernel-syms-5.3.18-150300.59.138.1, kernel-source-5.3.18-150300.59.138.1, kernel-obs-build-5.3.18-150300.59.138.1, kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Linux Enterprise Micro 5.1 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Linux Enterprise Micro 5.2 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2
SUSE Linux Enterprise Micro for Rancher 5.2 (src): kernel-default-base-5.3.18-150300.59.138.1.150300.18.80.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2023-10-20 12:30:11 UTC 
SUSE-SU-2023:4142-1: An update that solves 13 vulnerabilities and has eight security fixes can now be installed.

Category: security (important)
Bug References: 1176588, 1202845, 1207270, 1208995, 1210169, 1210643, 1210658, 1212703, 1213812, 1214233, 1214351, 1214380, 1214386, 1215115, 1215117, 1215150, 1215221, 1215275, 1215299, 1215322, 1215356
CVE References: CVE-2020-36766, CVE-2023-1192, CVE-2023-1206, CVE-2023-1859, CVE-2023-2177, CVE-2023-4004, CVE-2023-40283, CVE-2023-42753, CVE-2023-4389, CVE-2023-4622, CVE-2023-4623, CVE-2023-4881, CVE-2023-4921
Sources used:

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 37 Robert Frohl 2024-06-05 07:48:02 UTC 
done, closing