mbox series

[SRU,M,0/4,J,0/1] CVE-2024-26809

Message ID 20240412185000.22195-1-bethany.jamison@canonical.com
Headers show
Series CVE-2024-26809 | expand

Message

Bethany Jamison April 12, 2024, 6:49 p.m. UTC
[Impact]

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nft_set_pipapo: release elements in clone only from destroy path

 Clone already always provides a current view of the lookup table, use it
 to destroy the set, otherwise it is possible to destroy elements twice.

 This fix requires:

  212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
 protocol")

 which came after:

  9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
 abort path").

[Fix]

Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
	was already in stable.
Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
Focal:	not-affected
Bionic:	not-affected
Xenial:	not-affected
Trusty:	not-affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use netfilter, specifically pipapo (pile 
packet polices), an issue with this fix would be visable via a
memory leak or a system crash.

Florian Westphal (3):
  netfilter: nft_set_pipapo: store index in scratch maps
  netfilter: nft_set_pipapo: add helper to release pcpu scratch area
  netfilter: nft_set_pipapo: remove scratch_aligned pointer

Pablo Neira Ayuso (1):
  netfilter: nft_set_pipapo: release elements in clone only from destroy
    path

 net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
 net/netfilter/nft_set_pipapo.h      |  18 +++--
 net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
 3 files changed, 76 insertions(+), 72 deletions(-)

Comments

Andrei Gherzan April 15, 2024, 10:51 a.m. UTC | #1
On 24/04/12 01:49PM, Bethany Jamison wrote:
> [Impact]
> 
>  In the Linux kernel, the following vulnerability has been resolved:
> 
>  netfilter: nft_set_pipapo: release elements in clone only from destroy path
> 
>  Clone already always provides a current view of the lookup table, use it
>  to destroy the set, otherwise it is possible to destroy elements twice.
> 
>  This fix requires:
> 
>   212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
>  protocol")
> 
>  which came after:
> 
>   9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
>  abort path").
> 
> [Fix]
> 
> Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> 	was already in stable.
> Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.

For the benefit of other reviewers, the prerequisite three commits of
the 9827a0e6e23b fix in Jammy are already included in the repository.

> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use netfilter, specifically pipapo (pile 
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
> 
> Florian Westphal (3):
>   netfilter: nft_set_pipapo: store index in scratch maps
>   netfilter: nft_set_pipapo: add helper to release pcpu scratch area
>   netfilter: nft_set_pipapo: remove scratch_aligned pointer
> 
> Pablo Neira Ayuso (1):
>   netfilter: nft_set_pipapo: release elements in clone only from destroy
>     path
> 
>  net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
>  net/netfilter/nft_set_pipapo.h      |  18 +++--
>  net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
>  3 files changed, 76 insertions(+), 72 deletions(-)

Acked-by: Andrei Gherzan <andrei.gherzan@canonical.com>
Tim Gardner April 22, 2024, 1:18 p.m. UTC | #2
On 4/12/24 12:49 PM, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   netfilter: nft_set_pipapo: release elements in clone only from destroy path
> 
>   Clone already always provides a current view of the lookup table, use it
>   to destroy the set, otherwise it is possible to destroy elements twice.
> 
>   This fix requires:
> 
>    212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
>   protocol")
> 
>   which came after:
> 
>    9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
>   abort path").
> 
> [Fix]
> 
> Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> 	was already in stable.
> Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use netfilter, specifically pipapo (pile
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
> 
> Florian Westphal (3):
>    netfilter: nft_set_pipapo: store index in scratch maps
>    netfilter: nft_set_pipapo: add helper to release pcpu scratch area
>    netfilter: nft_set_pipapo: remove scratch_aligned pointer
> 
> Pablo Neira Ayuso (1):
>    netfilter: nft_set_pipapo: release elements in clone only from destroy
>      path
> 
>   net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
>   net/netfilter/nft_set_pipapo.h      |  18 +++--
>   net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
>   3 files changed, 76 insertions(+), 72 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Roxana Nicolescu April 25, 2024, 5:57 p.m. UTC | #3
On 12/04/2024 20:49, Bethany Jamison wrote:
> [Impact]
>
>   In the Linux kernel, the following vulnerability has been resolved:
>
>   netfilter: nft_set_pipapo: release elements in clone only from destroy path
>
>   Clone already always provides a current view of the lookup table, use it
>   to destroy the set, otherwise it is possible to destroy elements twice.
>
>   This fix requires:
>
>    212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
>   protocol")
>
>   which came after:
>
>    9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
>   abort path").
>
> [Fix]
>
> Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> 	was already in stable.
> Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use netfilter, specifically pipapo (pile
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
>
> Florian Westphal (3):
>    netfilter: nft_set_pipapo: store index in scratch maps
>    netfilter: nft_set_pipapo: add helper to release pcpu scratch area
>    netfilter: nft_set_pipapo: remove scratch_aligned pointer
>
> Pablo Neira Ayuso (1):
>    netfilter: nft_set_pipapo: release elements in clone only from destroy
>      path
>
>   net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
>   net/netfilter/nft_set_pipapo.h      |  18 +++--
>   net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
>   3 files changed, 76 insertions(+), 72 deletions(-)
>
Applied to mantic, jammy master-next branches. Thanks!
For mantic, the first 3 patches were already applied.