1219397 – VUL-0: kernel: use-after-free in cls_tcindex

Bug 1219397 - VUL-0: kernel: use-after-free in cls_tcindex

Summary: VUL-0: kernel: use-after-free in cls_tcindex

Status:	NEW

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Michal Koutný
QA Contact:	Security Team bot

URL:	1212934
Whiteboard:
Keywords:

Depends on:	CVE-2023-1829
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2024-01-31 09:03 UTC by Thomas Leroy
Modified:	2024-07-09 13:04 UTC (History)
CC List:	3 users (show)

See Also:	CVE-2021-47295
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	mkoutny: needinfo? (security-team)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2024-01-31 09:03:18 UTC

A use-after-free was found and exploited during Real World CTF 2024 in cls_tcindex.
The module has been dropped upstream but we might still ship it.

References:
https://github.com/N1ghtu/RWCTF6th-RIPTC

Comment 1 Thomas Leroy 2024-01-31 09:06:00 UTC

The writeup is public, so we should consider this public.

Maintainers, could you please double check that we ship the module? (I find CONFIG_NET_CLS_TCINDEX=m in all base branches)

Furthermore, since upstream dropped the code, they might not be interested in working on a fix.

Comment 2 Thomas Leroy 2024-01-31 09:30:46 UTC

Environment that was targeted:
https://github.com/chaitin/Real-World-CTF-6th-Challenges/tree/main/RIPTC
https://github.com/chaitin/Real-World-CTF-6th-Challenges/releases/download/x/riptc_attachment_241a4f7b8921b131e3237af987ad4f82.tar.gz

Comment 3 Marcus Meissner 2024-01-31 12:20:18 UTC

dup of https://bugzilla.suse.com/show_bug.cgi?id=1210335 ?

Comment 4 Thomas Leroy 2024-01-31 13:29:10 UTC

(In reply to Marcus Meissner from comment #3)
> dup of https://bugzilla.suse.com/show_bug.cgi?id=1210335 ?

I don't think so. The code provided was the one just before being dropped. Thus including all previous CVE fixes.

Comment 5 Marcus Meissner 2024-01-31 14:20:21 UTC

(In reply to Thomas Leroy from comment #4)
> (In reply to Marcus Meissner from comment #3)
> > dup of https://bugzilla.suse.com/show_bug.cgi?id=1210335 ?
> 
> I don't think so. The code provided was the one just before being dropped.
> Thus including all previous CVE fixes.

Yes, I agree.

And yes, we ship tcindex.

Comment 6 Jan Kara 2024-02-01 18:25:42 UTC

This is going to be "interesting". We ship with CONFIG_NET_CLS_TCINDEX in all our kernels upto SLE15-SP5 (inclusive). Since the driver is not upstream, we cannot really hope for an upstream fix. In bug 1210335 Michal Koutny was mentioning blacklisting cls_tcindex module which seems as the sanest course for the future. Assigning to Michal since he seems to be dealing with blacklisting of cls_tcindex...