Message ID | 20231205205112.37490-1-yuxuan.luo@canonical.com |
---|---|
Headers | show |
Series | CVE-2023-6111 | expand |
On Tue, Dec 05, 2023 at 03:51:11PM -0500, Yuxuan Luo wrote: > This patch has already been sent for OEM-6.1. However, since the break > commit has been backported to upstream stable, Jammy and Mantic are now > vulnerable. > > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: > nf_tables component can be exploited to achieve local privilege > escalation. The function nft_trans_gc_catchall did not remove the > catchall set element from the catchall_list when the argument sync is > true, making it possible to free a catchall set element many times. > > [Backport] > There is a conflict that requires the commit 0e1ea651c971 (“netfilter: > nf_tables: shrink memory consumption of set elements”). Since its changes > is not relevant to the fix, ignore it and backport the fix commit. > > nft_setelem_catchall_remove(): keep the elem->priv line. > > nft_trans_gc(): add `struct nft_set_elem *elem;` instead of > `struct nft_elem_priv *elem_priv;` to keep consistent with the argument > type of nft_setelem_data_deactivate(). Modify the > `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly. > > [Test] > Boot and smoke tested. > > [Potential Regression] > Expect low regression potential that's limited to this specific API. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: remove catchall element in GC sync path > > net/netfilter/nf_tables_api.c | 22 +++++++++++++++++----- > 1 file changed, 17 insertions(+), 5 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On 05.12.23 21:51, Yuxuan Luo wrote: > This patch has already been sent for OEM-6.1. However, since the break > commit has been backported to upstream stable, Jammy and Mantic are now > vulnerable. > > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: > nf_tables component can be exploited to achieve local privilege > escalation. The function nft_trans_gc_catchall did not remove the > catchall set element from the catchall_list when the argument sync is > true, making it possible to free a catchall set element many times. > > [Backport] > There is a conflict that requires the commit 0e1ea651c971 (“netfilter: > nf_tables: shrink memory consumption of set elements”). Since its changes > is not relevant to the fix, ignore it and backport the fix commit. > > nft_setelem_catchall_remove(): keep the elem->priv line. > > nft_trans_gc(): add `struct nft_set_elem *elem;` instead of > `struct nft_elem_priv *elem_priv;` to keep consistent with the argument > type of nft_setelem_data_deactivate(). Modify the > `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly. > > [Test] > Boot and smoke tested. > > [Potential Regression] > Expect low regression potential that's limited to this specific API. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: remove catchall element in GC sync path > > net/netfilter/nf_tables_api.c | 22 +++++++++++++++++----- > 1 file changed, 17 insertions(+), 5 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 05.12.23 21:51, Yuxuan Luo wrote: > This patch has already been sent for OEM-6.1. However, since the break > commit has been backported to upstream stable, Jammy and Mantic are now > vulnerable. > > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: > nf_tables component can be exploited to achieve local privilege > escalation. The function nft_trans_gc_catchall did not remove the > catchall set element from the catchall_list when the argument sync is > true, making it possible to free a catchall set element many times. > > [Backport] > There is a conflict that requires the commit 0e1ea651c971 (“netfilter: > nf_tables: shrink memory consumption of set elements”). Since its changes > is not relevant to the fix, ignore it and backport the fix commit. > > nft_setelem_catchall_remove(): keep the elem->priv line. > > nft_trans_gc(): add `struct nft_set_elem *elem;` instead of > `struct nft_elem_priv *elem_priv;` to keep consistent with the argument > type of nft_setelem_data_deactivate(). Modify the > `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly. > > [Test] > Boot and smoke tested. > > [Potential Regression] > Expect low regression potential that's limited to this specific API. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: remove catchall element in GC sync path > > net/netfilter/nf_tables_api.c | 22 +++++++++++++++++----- > 1 file changed, 17 insertions(+), 5 deletions(-) > Applied to mantic,jammy:linux/master-next. Thanks. -Stefan