[SRU,OEM-6.1,v2,0/1] CVE-2023-6111

Message ID	20231120204045.69637-1-yuxuan.luo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Yuxuan Luo <yuxuan.luo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][OEM-6.1][PATCH v2 0/1] CVE-2023-6111 Date: Mon, 20 Nov 2023 15:40:44 -0500 Message-Id: <20231120204045.69637-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-6111 \| expand [SRU,OEM-6.1,v2,0/1] CVE-2023-6111 [v2,1/1] netfilter: nf_tables: remove catchall element in GC sync path

Message ID

20231120204045.69637-1-yuxuan.luo@canonical.com

Headers

From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][OEM-6.1][PATCH v2 0/1] CVE-2023-6111
Date: Mon, 20 Nov 2023 15:40:44 -0500
Message-Id: <20231120204045.69637-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-6111 | expand

Message

Yuxuan Luo Nov. 20, 2023, 8:40 p.m. UTC

This v2 patch adds the modification the previous patch missed and
corrects the prerequisite commit subject.

[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tables component can be exploited to achieve local privilege
escalation. The function nft_trans_gc_catchall did not remove the
catchall set element from the catchall_list when the argument sync is
true, making it possible to free a catchall set element many times. 

[Backport]
There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
nf_tables: shrink memory consumption of set elements”). Since its changes
is not relevant to the fix, ignore it and backport the fix commit.

nft_setelem_catchall_remove(): keep the elem->priv line.

nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
`struct nft_elem_priv *elem_priv;` to keep consistent with the argument
type of nft_setelem_data_deactivate(). Modify the
`nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.

[Test]
Boot and smoke tested.

[Potential Regression]
Expect low regression potential that's limited to this specific API.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: remove catchall element in GC sync path

 net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

Comments

Jacob Martin Nov. 20, 2023, 9:54 p.m. UTC | #1

Acked-by: Jacob Martin <jacob.martin@canonical.com>

On 11/20/23 2:40 PM, Yuxuan Luo wrote:
> This v2 patch adds the modification the previous patch missed and
> corrects the prerequisite commit subject.
>
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
>
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
>
> nft_setelem_catchall_remove(): keep the elem->priv line.
>
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
>
> [Test]
> Boot and smoke tested.
>
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
>
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: remove catchall element in GC sync path
>
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
>

Timo Aaltonen Nov. 21, 2023, 7:53 a.m. UTC | #2

Yuxuan Luo kirjoitti 20.11.2023 klo 22.40:
> This v2 patch adds the modification the previous patch missed and
> corrects the prerequisite commit subject.
> 
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
> 
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
> 
> nft_setelem_catchall_remove(): keep the elem->priv line.
> 
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
> 
> [Test]
> Boot and smoke tested.
> 
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: remove catchall element in GC sync path
> 
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
> 

applied and build-tested, thanks