From patchwork Mon Nov 20 20:40:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1866193 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SYztP5dNkz1yRV for ; Tue, 21 Nov 2023 07:41:01 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1r5B4h-0006Lh-TY; Mon, 20 Nov 2023 20:40:55 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1r5B4c-0006LH-0O for kernel-team@lists.ubuntu.com; Mon, 20 Nov 2023 20:40:50 +0000 Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id D1D603F5E9 for ; Mon, 20 Nov 2023 20:40:49 +0000 (UTC) Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-77891f36133so658235885a.0 for ; Mon, 20 Nov 2023 12:40:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700512848; x=1701117648; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=LJeBwI3/ahXfF9cr/beXBLFCeBjG0kn+clIpob6TGnI=; b=UKBKErblQqwgBtEynF1VxIg9tNKSAxzUrQliSsMhTeMy4nPTbGUGEMNJqlNORGsr3b mAXLik2KSfqK16u5e0pC0eWfnWnnsRbr5cGGK9CY8k3qBtfFTILR+16OgzeOcNlKDlP/ 0EUZBcGsjG6T089fc1r9TblecTB2+SJB8SJvmbiYREl3vokMdSjIkZYzKkRffqBLQ9Xo fqMJzP+oJzqPnbLFJoycBkM1JsVg3m4VRDGiW4ZMSsuM0OMeTf67ZhakRuHelLIVmwOM 4IfczC0VjGJgXnWe0igN8RgMZL+J3TT+jXMlQXfM9FDkRD5ZHVV17pDbxDt4fMt9SdQI 3kYg== X-Gm-Message-State: AOJu0YyvtJh1VnqjKNivjtaWGopZPvi1aRuY4sunbd0Whb25Rk6RooQw oRM2H0WbKRG2WSIzbfnWM4ZneUQKzhHwg4a9bf+93c91fZFsY5CrbJLCBgNwXRUW3mk1oEB8/i7 VrA3wkl7eCgN3hinSK5G286byv9KnmjX2KkZbhz5wOIQR0oTgCA== X-Received: by 2002:a05:620a:8008:b0:774:3497:a7a3 with SMTP id ee8-20020a05620a800800b007743497a7a3mr9425460qkb.17.1700512847944; Mon, 20 Nov 2023 12:40:47 -0800 (PST) X-Google-Smtp-Source: AGHT+IEni2DzzVNnFupY9uib8y8PU+Q6/t3DqVCX6I7FAUxzQtAcEXqhFtZW4LPkRJH2E8IDrrc7Sg== X-Received: by 2002:a05:620a:8008:b0:774:3497:a7a3 with SMTP id ee8-20020a05620a800800b007743497a7a3mr9425450qkb.17.1700512847662; Mon, 20 Nov 2023 12:40:47 -0800 (PST) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id m22-20020a05620a215600b0077a02dda442sm2925170qkm.128.2023.11.20.12.40.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 20 Nov 2023 12:40:47 -0800 (PST) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][OEM-6.1][PATCH v2 0/1] CVE-2023-6111 Date: Mon, 20 Nov 2023 15:40:44 -0500 Message-Id: <20231120204045.69637-1-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" This v2 patch adds the modification the previous patch missed and corrects the prerequisite commit subject. [Impact] A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The function nft_trans_gc_catchall did not remove the catchall set element from the catchall_list when the argument sync is true, making it possible to free a catchall set element many times. [Backport] There is a conflict that requires the commit 0e1ea651c971 (“netfilter: nf_tables: shrink memory consumption of set elements”). Since its changes is not relevant to the fix, ignore it and backport the fix commit. nft_setelem_catchall_remove(): keep the elem->priv line. nft_trans_gc(): add `struct nft_set_elem *elem;` instead of `struct nft_elem_priv *elem_priv;` to keep consistent with the argument type of nft_setelem_data_deactivate(). Modify the `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly. [Test] Boot and smoke tested. [Potential Regression] Expect low regression potential that's limited to this specific API. Pablo Neira Ayuso (1): netfilter: nf_tables: remove catchall element in GC sync path net/netfilter/nf_tables_api.c | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) Acked-by: Jacob Martin