From patchwork Wed Feb 21 19:07:47 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1902382 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tg5QT2PXxz20Qg for ; Thu, 22 Feb 2024 06:08:16 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rcrwj-00053C-6o; Wed, 21 Feb 2024 19:07:57 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rcrwe-00052m-Ap for kernel-team@lists.ubuntu.com; Wed, 21 Feb 2024 19:07:52 +0000 Received: from mail-il1-f197.google.com (mail-il1-f197.google.com [209.85.166.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id EC09B3F636 for ; Wed, 21 Feb 2024 19:07:51 +0000 (UTC) Received: by mail-il1-f197.google.com with SMTP id e9e14a558f8ab-36381f0e0a6so46412645ab.2 for ; Wed, 21 Feb 2024 11:07:51 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1708542470; x=1709147270; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=SK194Ogc3lEkrza3lNUVjh0/04pT7Tk0FbsPXPPPchM=; b=c59RKr1YIIENGJJNJixL3jF5+fKocyVVW7RlA0zL/MGDWiEh6Jqd3M4Vu6moQDSRrJ VR/OzvMzximBMvwBWPGFpmktw7oiVKu2CZz2TqIGnvt6yL6f50lnJfgkoir/Y6sVE+37 3fYVe/+aTz/PtODCEG8Nxtl3fxTzcJNp2Jt9O9EDtgs5q/KSDh8eLsDQCqkW9IjZMj7v UJERF21S2dPNLkm8Il8wsDp1Q/+yVLiLDxv0Mz/7xMO92YrIt6z0ictALZIRZ+BijTSQ Fqs9SSw7XWOXi1JTxIvGigzZcabTeBV//OikBcQFMESd0eRGMIXBAJccbr3eXEPhebQ0 WpIg== X-Gm-Message-State: AOJu0Yy+wSt3LAi1NyoyJDEgIHAXNoOVlhU7VXF67Excal/SOWXIjY8l Eg8iYUG18qwYvkaYnom9JMD1UDx04jJMjP/ktZ9zyNgyDmE1zHjOVDw5ED6YAu/dqJOzVFJC6IH x/m8i9DeqE1ETwjQtHWmYcadI9iWuE1nYv7b/s2BwoWKL87uMAxe4AxzAPlNK3sMeC6Msgn5741 +48jTXiFGtFg== X-Received: by 2002:a05:6e02:128e:b0:365:aeb:2af7 with SMTP id y14-20020a056e02128e00b003650aeb2af7mr14101408ilq.31.1708542470398; Wed, 21 Feb 2024 11:07:50 -0800 (PST) X-Google-Smtp-Source: AGHT+IH+BkRfAEKTWVhsfXmhdbdBUTAdiMyftb3qZFKoJciLebWer/gQQgSsVF9wniZF+z3ZOPI20w== X-Received: by 2002:a05:6e02:128e:b0:365:aeb:2af7 with SMTP id y14-20020a056e02128e00b003650aeb2af7mr14101396ilq.31.1708542470152; Wed, 21 Feb 2024 11:07:50 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id l10-20020a056638144a00b004744de5c3f8sm218355jad.150.2024.02.21.11.07.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 11:07:49 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Jammy][PATCH 0/1] CVE-2024-1085 Date: Wed, 21 Feb 2024 13:07:47 -0600 Message-Id: <20240221190748.53029-1-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_setelem_catchall_deactivate() function checks whether the catch-all set element is active in the current generation instead of the next generation before freeing it, but only flags it inactive in the next generation, making it possible to free the element multiple times, leading to a double free vulnerability. [Fix] Mantic: Clean cherry-pick. Jammy: Mantic patch applied cleanly. [Test Case] Compile and boot tested. [Regression Potential] Issues could occur when using netfilter tables when freeing up memory. pablo Neira Ayuso (1): netfilter: nf_tables: check if catch-all set element is active in next generation net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Acked-by: Jose Ogando Acked-by: Manuel Diewald