CVE-2023-42755: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2023-42755) was discovered in the IPv4 Resource Reservation Protocol (RSVP) classifier in the Linux kernel. The flaw allows the xprt pointer to go beyond the linear part of the skb, leading to an out-of-bounds read in the rsvp_classify function. The vulnerability was discovered by Kyle Zeng and affects Linux kernel versions up to 6.2 (NVD, OSS-SEC).

The root cause is a slab-out-of-bounds access in the rsvp_change function. Since the offset to the original pointer is an unsigned int fully controlled by users, the behavior typically results in a wild pointer access. The vulnerability occurs because RSVP_PINFO is passed to the kernel without proper validation checks, leading to potential arbitrary pointer manipulation when the classifier performs classification in the rsvp_classify function (OSS-SEC). The vulnerability has been assigned a CVSS v3.1 base score of 5.5 MEDIUM (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) (NVD).

This vulnerability may allow a local user to crash the system and cause a denial of service. The issue can be exploited by unprivileged users to achieve local denial of service or potential data leaks (NVD, Ubuntu).

The vulnerability has been mitigated by removing the cls_rsvp classifier entirely from the Linux kernel. This fix was implemented in Linux kernel version 6.3-rc1 through a patch that retires the RSVP classifier in all stable trees (Debian). Various Linux distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux, Ubuntu, and Debian.