Message ID | 20240221190748.53029-1-bethany.jamison@canonical.com |
---|---|
Headers | show |
Series | CVE-2024-1085 | expand |
LGTM Acked-by: Jose Ogando <jose.ogando@canonical.com> On Wed, 2024-02-21 at 13:07 -0600, Bethany Jamison wrote: > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: > nf_tables > component can be exploited to achieve local privilege escalation. > The nft_setelem_catchall_deactivate() function checks whether the > catch-all > set element is active in the current generation instead of the next > generation before freeing it, but only flags it inactive in the next > generation, making it possible to free the element multiple times, > leading > to a double free vulnerability. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur when using netfilter tables when freeing up > memory. > > pablo Neira Ayuso (1): > netfilter: nf_tables: check if catch-all set element is active in > next > generation > > net/netfilter/nf_tables_api.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.34.1 > >
On Wed, Feb 21, 2024 at 01:07:47PM -0600, Bethany Jamison wrote: > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. > The nft_setelem_catchall_deactivate() function checks whether the catch-all > set element is active in the current generation instead of the next > generation before freeing it, but only flags it inactive in the next > generation, making it possible to free the element multiple times, leading > to a double free vulnerability. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur when using netfilter tables when freeing up memory. > > pablo Neira Ayuso (1): > netfilter: nf_tables: check if catch-all set element is active in next > generation > > net/netfilter/nf_tables_api.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team Acked-by: Manuel Diewald <manuel.diewald@canonical.com>
On 21/02/2024 20:07, Bethany Jamison wrote: > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. > The nft_setelem_catchall_deactivate() function checks whether the catch-all > set element is active in the current generation instead of the next > generation before freeing it, but only flags it inactive in the next > generation, making it possible to free the element multiple times, leading > to a double free vulnerability. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur when using netfilter tables when freeing up memory. > > pablo Neira Ayuso (1): > netfilter: nf_tables: check if catch-all set element is active in next > generation > > net/netfilter/nf_tables_api.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Applied to mantic, jammy master-next branches. Thanks!