[SRU,Focal-OEM-5.14/Jammy-OEM-5.17,0/1] CVE-2023-1095

Message ID	20230317191406.39155-1-yuxuan.luo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Yuxuan Luo <yuxuan.luo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal-OEM-5.14/Jammy-OEM-5.17][PATCH 0/1] CVE-2023-1095 Date: Fri, 17 Mar 2023 15:14:05 -0400 Message-Id: <20230317191406.39155-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-1095 \| expand [SRU,Focal-OEM-5.14/Jammy-OEM-5.17,0/1] CVE-2023-1095 [SRU,Focal-OEM-5.14/Jammy-OEM-5.17,1/1] netfilter: nf_tables: fix null deref due to zeroed list head

Message ID

20230317191406.39155-1-yuxuan.luo@canonical.com

Headers

From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Focal-OEM-5.14/Jammy-OEM-5.17][PATCH 0/1] CVE-2023-1095
Date: Fri, 17 Mar 2023 15:14:05 -0400
Message-Id: <20230317191406.39155-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-1095 | expand

Message

Yuxuan Luo March 17, 2023, 7:14 p.m. UTC

[Impact]
In nf_tables_updtable, if nf_tables_table_enable returns an error,
nft_trans_destroy is called to free the transaction object.
nft_trans_destroy() calls list_del(), but the transaction was never placed
on a list -- the list head is all zeroes, this results in a NULL pointer
dereference.

[Backport]
Clean cherry pick.

[Test]
Compile and smoke tested.

[Potential Regression]
Little or even no regression since the change only initialized the list header.


Florian Westphal (1):
  netfilter: nf_tables: fix null deref due to zeroed list head

 net/netfilter/nf_tables_api.c | 1 +
 1 file changed, 1 insertion(+)

Comments

Tim Gardner March 21, 2023, 6:17 p.m. UTC | #1

On 3/17/23 1:14 PM, Yuxuan Luo wrote:
> [Impact]
> In nf_tables_updtable, if nf_tables_table_enable returns an error,
> nft_trans_destroy is called to free the transaction object.
> nft_trans_destroy() calls list_del(), but the transaction was never placed
> on a list -- the list head is all zeroes, this results in a NULL pointer
> dereference.
> 
> [Backport]
> Clean cherry pick.
> 
> [Test]
> Compile and smoke tested.
> 
> [Potential Regression]
> Little or even no regression since the change only initialized the list header.
> 
> 
> Florian Westphal (1):
>    netfilter: nf_tables: fix null deref due to zeroed list head
> 
>   net/netfilter/nf_tables_api.c | 1 +
>   1 file changed, 1 insertion(+)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>

Manuel Diewald April 4, 2023, 7:47 a.m. UTC | #2

On Fri, Mar 17, 2023 at 03:14:05PM -0400, Yuxuan Luo wrote:
> [Impact]
> In nf_tables_updtable, if nf_tables_table_enable returns an error,
> nft_trans_destroy is called to free the transaction object.
> nft_trans_destroy() calls list_del(), but the transaction was never placed
> on a list -- the list head is all zeroes, this results in a NULL pointer
> dereference.
> 
> [Backport]
> Clean cherry pick.
> 
> [Test]
> Compile and smoke tested.
> 
> [Potential Regression]
> Little or even no regression since the change only initialized the list header.
> 
> 
> Florian Westphal (1):
>   netfilter: nf_tables: fix null deref due to zeroed list head
> 
>  net/netfilter/nf_tables_api.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Applied to jammy:linux-oem-5.17. Thank you!