OESA-2023-1637

See a problem?
Please try reporting it to the source first.
Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1637
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2023-1637.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2023-1637
Upstream
Published
2023-09-15T11:05:55Z
Modified
2025-08-12T05:22:19.611556Z
Summary
kernel security update
Details

The Linux Kernel, the operating system core itself.

Security Fix(es):

A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation.

When route4change() is called on an existing filter, the whole tcfresult struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcfunbindfilter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.

(CVE-2023-4206)

A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation.

When fwchange() is called on an existing filter, the whole tcfresult struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcfunbindfilter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec.

(CVE-2023-4207)

A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation.

When u32change() is called on an existing filter, the whole tcfresult struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcfunbindfilter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free.

We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.

(CVE-2023-4208)

A use-after-free vulnerability in the Linux kernel's af_unix component can be exploited to achieve local privilege escalation.

The unixstreamsendpage() function tries to add data to the last skb in the peer's recv queue without locking the queue. Thus there is a race where unixstreamsendpage() could access an skb locklessly that is being released by garbage collection, resulting in use-after-free.

We recommend upgrading past commit 790c2f9d15b594350ae9bca7b236f2b1859de02c.

(CVE-2023-4622)

Database specific 
{
    "severity": "High"
}
References

Affected packages

openEuler:20.03-LTS-SP1 / kernel

Package

Name
kernel
Purl
pkg:rpm/openEuler/kernel&distro=openEuler-20.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.19.90-2309.3.0.0218.oe1

Ecosystem specific 

{
    "x86_64": [
        "python3-perf-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-tools-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-debugsource-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-devel-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "perf-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-tools-devel-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "python2-perf-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-tools-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "python2-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "python3-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "perf-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "bpftool-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-source-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "kernel-4.19.90-2309.3.0.0218.oe1.x86_64.rpm",
        "bpftool-debuginfo-4.19.90-2309.3.0.0218.oe1.x86_64.rpm"
    ],
    "aarch64": [
        "kernel-debugsource-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "bpftool-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-tools-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "python3-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-tools-devel-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-source-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "perf-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "bpftool-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "python2-perf-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "python2-perf-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "python3-perf-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "perf-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-tools-debuginfo-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-4.19.90-2309.3.0.0218.oe1.aarch64.rpm",
        "kernel-devel-4.19.90-2309.3.0.0218.oe1.aarch64.rpm"
    ],
    "src": [
        "kernel-4.19.90-2309.3.0.0218.oe1.src.rpm"
    ]
}