mbox series

[SRU,Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar,0/1] CVE-2023-3610

Message ID 20230723014340.284173-1-cengiz.can@canonical.com
Headers show
Series CVE-2023-3610 | expand

Message

Cengiz Can July 22, 2023, 8:43 p.m. UTC
[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
component can be exploited to achieve local privilege escalation. Flaw in the
error handling of bound chains causes a use-after-free in the abort path of
NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. 

[Fix]
Commits picked from either stable or upstream. The ones that are marked as
backports only differ in contexts, specifically in nf_tables.h.

[Test case]
Tested with test suites that ship with following repositories:

- git://git.netfilter.org/iptables
- git://git.netfilter.org/nftables

Test results:

- iptables/tests/run_tests.sh produced exact same results with or without the 
patch.
- nftables/tests/shell/run_tests.sh produced similar results with or without the
patch. (kinetic produces 1 fewer Failure with the patch).

[Potential regression]
All users who use netfilter rules might be affected.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: fix chain binding transaction logic

 include/net/netfilter/nf_tables.h | 21 +++++++-
 net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
 net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
 3 files changed, 153 insertions(+), 41 deletions(-)

Comments

Stefan Bader July 24, 2023, 9:52 a.m. UTC | #1
On 22.07.23 22:43, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Flaw in the
> error handling of bound chains causes a use-after-free in the abort path of
> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
> 
> [Fix]
> Commits picked from either stable or upstream. The ones that are marked as
> backports only differ in contexts, specifically in nf_tables.h.
> 
> [Test case]
> Tested with test suites that ship with following repositories:
> 
> - git://git.netfilter.org/iptables
> - git://git.netfilter.org/nftables
> 
> Test results:
> 
> - iptables/tests/run_tests.sh produced exact same results with or without the
> patch.
> - nftables/tests/shell/run_tests.sh produced similar results with or without the
> patch. (kinetic produces 1 fewer Failure with the patch).
> 
> [Potential regression]
> All users who use netfilter rules might be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: fix chain binding transaction logic
> 
>   include/net/netfilter/nf_tables.h | 21 +++++++-
>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>   3 files changed, 153 insertions(+), 41 deletions(-)
> 

Occasionally I also see oem-6.1 mentioned. What about that? Also 
s/Kinetic/HWE-5.19/ for future reference.
Tim Gardner July 24, 2023, 12:33 p.m. UTC | #2
On 7/22/23 2:43 PM, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Flaw in the
> error handling of bound chains causes a use-after-free in the abort path of
> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
> 
> [Fix]
> Commits picked from either stable or upstream. The ones that are marked as
> backports only differ in contexts, specifically in nf_tables.h.
> 
> [Test case]
> Tested with test suites that ship with following repositories:
> 
> - git://git.netfilter.org/iptables
> - git://git.netfilter.org/nftables
> 
> Test results:
> 
> - iptables/tests/run_tests.sh produced exact same results with or without the
> patch.
> - nftables/tests/shell/run_tests.sh produced similar results with or without the
> patch. (kinetic produces 1 fewer Failure with the patch).
> 
> [Potential regression]
> All users who use netfilter rules might be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: fix chain binding transaction logic
> 
>   include/net/netfilter/nf_tables.h | 21 +++++++-
>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>   3 files changed, 153 insertions(+), 41 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Timo Aaltonen July 28, 2023, 9:28 a.m. UTC | #3
Stefan Bader kirjoitti 24.7.2023 klo 12.52:
> On 22.07.23 22:43, Cengiz Can wrote:
>> [Impact]
>> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
>> component can be exploited to achieve local privilege escalation. Flaw 
>> in the
>> error handling of bound chains causes a use-after-free in the abort 
>> path of
>> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be 
>> triggered. We
>> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
>>
>> [Fix]
>> Commits picked from either stable or upstream. The ones that are 
>> marked as
>> backports only differ in contexts, specifically in nf_tables.h.
>>
>> [Test case]
>> Tested with test suites that ship with following repositories:
>>
>> - git://git.netfilter.org/iptables
>> - git://git.netfilter.org/nftables
>>
>> Test results:
>>
>> - iptables/tests/run_tests.sh produced exact same results with or 
>> without the
>> patch.
>> - nftables/tests/shell/run_tests.sh produced similar results with or 
>> without the
>> patch. (kinetic produces 1 fewer Failure with the patch).
>>
>> [Potential regression]
>> All users who use netfilter rules might be affected.
>>
>> Pablo Neira Ayuso (1):
>>    netfilter: nf_tables: fix chain binding transaction logic
>>
>>   include/net/netfilter/nf_tables.h | 21 +++++++-
>>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>>   3 files changed, 153 insertions(+), 41 deletions(-)
>>
> 
> Occasionally I also see oem-6.1 mentioned. What about that? Also 
> s/Kinetic/HWE-5.19/ for future reference.

This is actually in 6.1 -1018 already via upstream 6.1.36
Cengiz Can July 28, 2023, 8:30 p.m. UTC | #4
On Mon, 2023-07-24 at 11:52 +0200, Stefan Bader wrote:
> On 22.07.23 22:43, Cengiz Can wrote:
> > [Impact]
> > A use-after-free vulnerability in the Linux kernel's netfilter:
> > nf_tables
> > component can be exploited to achieve local privilege escalation.
> > Flaw in the
> > error handling of bound chains causes a use-after-free in the abort
> > path of
> > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be
> > triggered. We
> > recommend upgrading past commit
> > 4bedf9eee016286c835e3d8fa981ddece5338795.
> > 
> > [Fix]
> > Commits picked from either stable or upstream. The ones that are
> > marked as
> > backports only differ in contexts, specifically in nf_tables.h.
> > 
> > [Test case]
> > Tested with test suites that ship with following repositories:
> > 
> > - git://git.netfilter.org/iptables
> > - git://git.netfilter.org/nftables
> > 
> > Test results:
> > 
> > - iptables/tests/run_tests.sh produced exact same results with or
> > without the
> > patch.
> > - nftables/tests/shell/run_tests.sh produced similar results with
> > or without the
> > patch. (kinetic produces 1 fewer Failure with the patch).
> > 
> > [Potential regression]
> > All users who use netfilter rules might be affected.
> > 
> > Pablo Neira Ayuso (1):
> >    netfilter: nf_tables: fix chain binding transaction logic
> > 
> >   include/net/netfilter/nf_tables.h | 21 +++++++-
> >   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-------
> > ----
> >   net/netfilter/nft_immediate.c     | 87
> > +++++++++++++++++++++++++++----
> >   3 files changed, 153 insertions(+), 41 deletions(-)
> > 
> 
> Occasionally I also see oem-6.1 mentioned. What about that? Also 
> s/Kinetic/HWE-5.19/ for future reference.

Will look into those. Thanks!

> 
> -- 
> - Stefan
>
Stefan Bader Aug. 3, 2023, 9:18 a.m. UTC | #5
On 22.07.23 22:43, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Flaw in the
> error handling of bound chains causes a use-after-free in the abort path of
> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
> 
> [Fix]
> Commits picked from either stable or upstream. The ones that are marked as
> backports only differ in contexts, specifically in nf_tables.h.
> 
> [Test case]
> Tested with test suites that ship with following repositories:
> 
> - git://git.netfilter.org/iptables
> - git://git.netfilter.org/nftables
> 
> Test results:
> 
> - iptables/tests/run_tests.sh produced exact same results with or without the
> patch.
> - nftables/tests/shell/run_tests.sh produced similar results with or without the
> patch. (kinetic produces 1 fewer Failure with the patch).
> 
> [Potential regression]
> All users who use netfilter rules might be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: fix chain binding transaction logic
> 
>   include/net/netfilter/nf_tables.h | 21 +++++++-
>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>   3 files changed, 153 insertions(+), 41 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader@canonical.com>
Stefan Bader Aug. 3, 2023, 1:47 p.m. UTC | #6
On 22.07.23 22:43, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Flaw in the
> error handling of bound chains causes a use-after-free in the abort path of
> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
> 
> [Fix]
> Commits picked from either stable or upstream. The ones that are marked as
> backports only differ in contexts, specifically in nf_tables.h.
> 
> [Test case]
> Tested with test suites that ship with following repositories:
> 
> - git://git.netfilter.org/iptables
> - git://git.netfilter.org/nftables
> 
> Test results:
> 
> - iptables/tests/run_tests.sh produced exact same results with or without the
> patch.
> - nftables/tests/shell/run_tests.sh produced similar results with or without the
> patch. (kinetic produces 1 fewer Failure with the patch).
> 
> [Potential regression]
> All users who use netfilter rules might be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: fix chain binding transaction logic
> 
>   include/net/netfilter/nf_tables.h | 21 +++++++-
>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>   3 files changed, 153 insertions(+), 41 deletions(-)
> 

Applied to lunar,jammy:linux/master-next 
jammy:linux-hwe-5.19/hwe-5.19-next. Thanks.

-Stefan
Timo Aaltonen Aug. 4, 2023, 10:02 a.m. UTC | #7
Cengiz Can kirjoitti 22.7.2023 klo 23.43:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Flaw in the
> error handling of bound chains causes a use-after-free in the abort path of
> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795.
> 
> [Fix]
> Commits picked from either stable or upstream. The ones that are marked as
> backports only differ in contexts, specifically in nf_tables.h.
> 
> [Test case]
> Tested with test suites that ship with following repositories:
> 
> - git://git.netfilter.org/iptables
> - git://git.netfilter.org/nftables
> 
> Test results:
> 
> - iptables/tests/run_tests.sh produced exact same results with or without the
> patch.
> - nftables/tests/shell/run_tests.sh produced similar results with or without the
> patch. (kinetic produces 1 fewer Failure with the patch).
> 
> [Potential regression]
> All users who use netfilter rules might be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: fix chain binding transaction logic
> 
>   include/net/netfilter/nf_tables.h | 21 +++++++-
>   net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
>   net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
>   3 files changed, 153 insertions(+), 41 deletions(-)
> 

applied to oem-5.17, -6.0, thanks