| Message ID | 20240412185000.22195-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-26809 | expand |
On 24/04/12 01:49PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > netfilter: nft_set_pipapo: release elements in clone only from destroy path > > Clone already always provides a current view of the lookup table, use it > to destroy the set, otherwise it is possible to destroy elements twice. > > This fix requires: > > 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit > protocol") > > which came after: > > 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from > abort path"). > > [Fix] > > Mantic: Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb > was already in stable. > Jammy: Clean cherry-pick. Commit 212ed75dc5fb was already in stable. For the benefit of other reviewers, the prerequisite three commits of the 9827a0e6e23b fix in Jammy are already included in the repository. > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use netfilter, specifically pipapo (pile > packet polices), an issue with this fix would be visable via a > memory leak or a system crash. > > Florian Westphal (3): > netfilter: nft_set_pipapo: store index in scratch maps > netfilter: nft_set_pipapo: add helper to release pcpu scratch area > netfilter: nft_set_pipapo: remove scratch_aligned pointer > > Pablo Neira Ayuso (1): > netfilter: nft_set_pipapo: release elements in clone only from destroy > path > > net/netfilter/nft_set_pipapo.c | 113 ++++++++++++++-------------- > net/netfilter/nft_set_pipapo.h | 18 +++-- > net/netfilter/nft_set_pipapo_avx2.c | 17 ++--- > 3 files changed, 76 insertions(+), 72 deletions(-) Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
On 4/12/24 12:49 PM, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > netfilter: nft_set_pipapo: release elements in clone only from destroy path > > Clone already always provides a current view of the lookup table, use it > to destroy the set, otherwise it is possible to destroy elements twice. > > This fix requires: > > 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit > protocol") > > which came after: > > 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from > abort path"). > > [Fix] > > Mantic: Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb > was already in stable. > Jammy: Clean cherry-pick. Commit 212ed75dc5fb was already in stable. > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use netfilter, specifically pipapo (pile > packet polices), an issue with this fix would be visable via a > memory leak or a system crash. > > Florian Westphal (3): > netfilter: nft_set_pipapo: store index in scratch maps > netfilter: nft_set_pipapo: add helper to release pcpu scratch area > netfilter: nft_set_pipapo: remove scratch_aligned pointer > > Pablo Neira Ayuso (1): > netfilter: nft_set_pipapo: release elements in clone only from destroy > path > > net/netfilter/nft_set_pipapo.c | 113 ++++++++++++++-------------- > net/netfilter/nft_set_pipapo.h | 18 +++-- > net/netfilter/nft_set_pipapo_avx2.c | 17 ++--- > 3 files changed, 76 insertions(+), 72 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 12/04/2024 20:49, Bethany Jamison wrote: > [Impact] > > In the Linux kernel, the following vulnerability has been resolved: > > netfilter: nft_set_pipapo: release elements in clone only from destroy path > > Clone already always provides a current view of the lookup table, use it > to destroy the set, otherwise it is possible to destroy elements twice. > > This fix requires: > > 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit > protocol") > > which came after: > > 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from > abort path"). > > [Fix] > > Mantic: Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb > was already in stable. > Jammy: Clean cherry-pick. Commit 212ed75dc5fb was already in stable. > Focal: not-affected > Bionic: not-affected > Xenial: not-affected > Trusty: not-affected > > [Test Case] > > Compile and boot tested. > > [Where problems could occur] > > This fix affects those who use netfilter, specifically pipapo (pile > packet polices), an issue with this fix would be visable via a > memory leak or a system crash. > > Florian Westphal (3): > netfilter: nft_set_pipapo: store index in scratch maps > netfilter: nft_set_pipapo: add helper to release pcpu scratch area > netfilter: nft_set_pipapo: remove scratch_aligned pointer > > Pablo Neira Ayuso (1): > netfilter: nft_set_pipapo: release elements in clone only from destroy > path > > net/netfilter/nft_set_pipapo.c | 113 ++++++++++++++-------------- > net/netfilter/nft_set_pipapo.h | 18 +++-- > net/netfilter/nft_set_pipapo_avx2.c | 17 ++--- > 3 files changed, 76 insertions(+), 72 deletions(-) > Applied to mantic, jammy master-next branches. Thanks! For mantic, the first 3 patches were already applied.
[Impact] In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). [Fix] Mantic: Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb was already in stable. Jammy: Clean cherry-pick. Commit 212ed75dc5fb was already in stable. Focal: not-affected Bionic: not-affected Xenial: not-affected Trusty: not-affected [Test Case] Compile and boot tested. [Where problems could occur] This fix affects those who use netfilter, specifically pipapo (pile packet polices), an issue with this fix would be visable via a memory leak or a system crash. Florian Westphal (3): netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer Pablo Neira Ayuso (1): netfilter: nft_set_pipapo: release elements in clone only from destroy path net/netfilter/nft_set_pipapo.c | 113 ++++++++++++++-------------- net/netfilter/nft_set_pipapo.h | 18 +++-- net/netfilter/nft_set_pipapo_avx2.c | 17 ++--- 3 files changed, 76 insertions(+), 72 deletions(-)