Use After Free Affecting kernel-debug-uki-virt package, versions <0:5.14.0-284.11.1.el9_2

Note: Versions mentioned in the description apply only to the upstream kernel-debug-uki-virt package and not the kernel-debug-uki-virt package as distributed by Oracle. See How to fix? for Oracle:9 relevant fixed versions and status.

There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege.

There is a use-after-free bug of icsk_ulp_data of a struct inet_connection_sock.

When CONFIG_TLS is enabled, user can install a tls context (struct tls_context) on a connected tcp socket. The context is not cleared if this socket is disconnected and reused as a listener. If a new socket is created from the listener, the context is inherited and vulnerable.

The setsockopt TCP_ULP operation does not require any privilege.

We recommend upgrading past commit 2c02d41d71f90a5168391b6a5f2954112ba2307c

• https://linux.oracle.com/cve/CVE-2023-0461.html
• https://linux.oracle.com/errata/ELSA-2023-2458.html
• https://linux.oracle.com/errata/ELSA-2023-2951.html
• https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2c02d41d71f90a5168391b6a5f2954112ba2307c
• https://kernel.dance/#2c02d41d71f90a5168391b6a5f2954112ba2307c
• https://lists.debian.org/debian-lts-announce/2023/05/msg00005.html
• https://lists.debian.org/debian-lts-announce/2023/05/msg00006.html