[SRU,F,0/2] CVE-2024-27019

Message ID	20240628163818.18631-1-bethany.jamison@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Bethany Jamison <bethany.jamison@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 0/2] CVE-2024-27019 Date: Fri, 28 Jun 2024 11:38:16 -0500 Message-Id: <20240628163818.18631-1-bethany.jamison@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2024-27019 \| expand [SRU,F,0/2] CVE-2024-27019 [SRU,F,1/2] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV [SRU,F,2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

Message ID

20240628163818.18631-1-bethany.jamison@canonical.com

Headers

From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F][PATCH 0/2] CVE-2024-27019
Date: Fri, 28 Jun 2024 11:38:16 -0500
Message-Id: <20240628163818.18631-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2024-27019 | expand

Message

Bethany Jamison June 28, 2024, 4:38 p.m. UTC

[Impact]

netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

nft_unregister_obj() can concurrent with __nft_obj_type_get(),
and there is not any protection when iterate over nf_tables_objects
list in __nft_obj_type_get(). Therefore, there is potential data-race
of nf_tables_objects list entry.

Use list_for_each_entry_rcu() to iterate over nf_tables_objects
list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
nft_obj_type_get() to protect the entire type query process.

[Fix]

Noble:	pending
Jammy:	pending
Focal: 	Backport prereq commit - ignore neighboring line context 
	conflict, Clean cherry-pick for fix commit
Bionic:	needed
Xenial:	not affected
Trusty:	not affected

[Test Case]

Compile and boot tested

[Where problems could occur]

This fix affects those who use the netfilter framework, an issue with 
this fix would be visible to the user via unexpected system behavior
or a system crash.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV

Ziyang Xuan (1):
  netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

 include/net/netfilter/nf_tables.h |  2 ++
 net/netfilter/nf_tables_api.c     | 22 +++++++++++++++-------
 net/netfilter/nft_tunnel.c        |  1 +
 3 files changed, 18 insertions(+), 7 deletions(-)

Comments

Manuel Diewald July 1, 2024, 10:43 a.m. UTC | #1

On Fri, Jun 28, 2024 at 11:38:16AM -0500, Bethany Jamison wrote:
> [Impact]
> 
> netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
> nft_unregister_obj() can concurrent with __nft_obj_type_get(),
> and there is not any protection when iterate over nf_tables_objects
> list in __nft_obj_type_get(). Therefore, there is potential data-race
> of nf_tables_objects list entry.
> 
> Use list_for_each_entry_rcu() to iterate over nf_tables_objects
> list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
> nft_obj_type_get() to protect the entire type query process.
> 
> [Fix]
> 
> Noble:	pending
> Jammy:	pending
> Focal: 	Backport prereq commit - ignore neighboring line context 
> 	conflict, Clean cherry-pick for fix commit
> Bionic:	needed
> Xenial:	not affected
> Trusty:	not affected
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the netfilter framework, an issue with 
> this fix would be visible to the user via unexpected system behavior
> or a system crash.
> 
> Pablo Neira Ayuso (1):
>   netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
> 
> Ziyang Xuan (1):
>   netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
>  include/net/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nf_tables_api.c     | 22 +++++++++++++++-------
>  net/netfilter/nft_tunnel.c        |  1 +
>  3 files changed, 18 insertions(+), 7 deletions(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>

Thibault Ferrante July 2, 2024, 11:02 a.m. UTC | #2

On 28-06-2024 18:38, Bethany Jamison wrote:
> [Impact]
> 
> netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
> nft_unregister_obj() can concurrent with __nft_obj_type_get(),
> and there is not any protection when iterate over nf_tables_objects
> list in __nft_obj_type_get(). Therefore, there is potential data-race
> of nf_tables_objects list entry.
> 
> Use list_for_each_entry_rcu() to iterate over nf_tables_objects
> list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
> nft_obj_type_get() to protect the entire type query process.
> 
> [Fix]
> 
> Noble:	pending
> Jammy:	pending
> Focal: 	Backport prereq commit - ignore neighboring line context
> 	conflict, Clean cherry-pick for fix commit
> Bionic:	needed
> Xenial:	not affected
> Trusty:	not affected
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the netfilter framework, an issue with
> this fix would be visible to the user via unexpected system behavior
> or a system crash.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
> 
> Ziyang Xuan (1):
>    netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
>   include/net/netfilter/nf_tables.h |  2 ++
>   net/netfilter/nf_tables_api.c     | 22 +++++++++++++++-------
>   net/netfilter/nft_tunnel.c        |  1 +
>   3 files changed, 18 insertions(+), 7 deletions(-)
> 

Acked-by: Thibault Ferrante <thibault.ferrante@canonical.com>

--
Thibault

Stefan Bader July 4, 2024, 5:16 p.m. UTC | #3

On 28.06.24 18:38, Bethany Jamison wrote:
> [Impact]
> 
> netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
> nft_unregister_obj() can concurrent with __nft_obj_type_get(),
> and there is not any protection when iterate over nf_tables_objects
> list in __nft_obj_type_get(). Therefore, there is potential data-race
> of nf_tables_objects list entry.
> 
> Use list_for_each_entry_rcu() to iterate over nf_tables_objects
> list in __nft_obj_type_get(), and use rcu_read_lock() in the caller
> nft_obj_type_get() to protect the entire type query process.
> 
> [Fix]
> 
> Noble:	pending
> Jammy:	pending
> Focal: 	Backport prereq commit - ignore neighboring line context
> 	conflict, Clean cherry-pick for fix commit
> Bionic:	needed
> Xenial:	not affected
> Trusty:	not affected
> 
> [Test Case]
> 
> Compile and boot tested
> 
> [Where problems could occur]
> 
> This fix affects those who use the netfilter framework, an issue with
> this fix would be visible to the user via unexpected system behavior
> or a system crash.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV
> 
> Ziyang Xuan (1):
>    netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()
> 
>   include/net/netfilter/nf_tables.h |  2 ++
>   net/netfilter/nf_tables_api.c     | 22 +++++++++++++++-------
>   net/netfilter/nft_tunnel.c        |  1 +
>   3 files changed, 18 insertions(+), 7 deletions(-)
> 

Applied to focal:linux/master-next. Thanks.

-Stefan