[SRU,Jammy/Mantic,0/1] CVE-2023-6111

Message ID	20231205205112.37490-1-yuxuan.luo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Yuxuan Luo <yuxuan.luo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy/Mantic][PATCH 0/1] CVE-2023-6111 Date: Tue, 5 Dec 2023 15:51:11 -0500 Message-Id: <20231205205112.37490-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2023-6111 \| expand [SRU,Jammy/Mantic,0/1] CVE-2023-6111 [SRU,Jammy/Mantic,1/1] netfilter: nf_tables: remove catchall element in GC sync path

Message ID

20231205205112.37490-1-yuxuan.luo@canonical.com

Headers

From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy/Mantic][PATCH 0/1] CVE-2023-6111
Date: Tue,  5 Dec 2023 15:51:11 -0500
Message-Id: <20231205205112.37490-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2023-6111 | expand

Message

Yuxuan Luo Dec. 5, 2023, 8:51 p.m. UTC

This patch has already been sent for OEM-6.1. However, since the break
commit has been backported to upstream stable, Jammy and Mantic are now
vulnerable.

[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tables component can be exploited to achieve local privilege
escalation. The function nft_trans_gc_catchall did not remove the
catchall set element from the catchall_list when the argument sync is
true, making it possible to free a catchall set element many times. 

[Backport]
There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
nf_tables: shrink memory consumption of set elements”). Since its changes
is not relevant to the fix, ignore it and backport the fix commit.

nft_setelem_catchall_remove(): keep the elem->priv line.

nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
`struct nft_elem_priv *elem_priv;` to keep consistent with the argument
type of nft_setelem_data_deactivate(). Modify the
`nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.

[Test]
Boot and smoke tested.

[Potential Regression]
Expect low regression potential that's limited to this specific API.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: remove catchall element in GC sync path

 net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

Comments

Manuel Diewald Dec. 6, 2023, 11:56 a.m. UTC | #1

On Tue, Dec 05, 2023 at 03:51:11PM -0500, Yuxuan Luo wrote:
> This patch has already been sent for OEM-6.1. However, since the break
> commit has been backported to upstream stable, Jammy and Mantic are now
> vulnerable.
> 
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times. 
> 
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
> 
> nft_setelem_catchall_remove(): keep the elem->priv line.
> 
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
> 
> [Test]
> Boot and smoke tested.
> 
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
> 
> Pablo Neira Ayuso (1):
>   netfilter: nf_tables: remove catchall element in GC sync path
> 
>  net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>  1 file changed, 17 insertions(+), 5 deletions(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>

Stefan Bader Dec. 14, 2023, 2:01 p.m. UTC | #2

On 05.12.23 21:51, Yuxuan Luo wrote:
> This patch has already been sent for OEM-6.1. However, since the break
> commit has been backported to upstream stable, Jammy and Mantic are now
> vulnerable.
> 
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
> 
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
> 
> nft_setelem_catchall_remove(): keep the elem->priv line.
> 
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
> 
> [Test]
> Boot and smoke tested.
> 
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: remove catchall element in GC sync path
> 
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader@canonical.com>

Stefan Bader Dec. 14, 2023, 2:24 p.m. UTC | #3

On 05.12.23 21:51, Yuxuan Luo wrote:
> This patch has already been sent for OEM-6.1. However, since the break
> commit has been backported to upstream stable, Jammy and Mantic are now
> vulnerable.
> 
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
> 
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
> 
> nft_setelem_catchall_remove(): keep the elem->priv line.
> 
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
> 
> [Test]
> Boot and smoke tested.
> 
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: remove catchall element in GC sync path
> 
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
> 

Applied to mantic,jammy:linux/master-next. Thanks.

-Stefan