From patchwork Fri Apr 12 18:49:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1923218 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4VGQc50gXQz1yYP for ; Sat, 13 Apr 2024 04:50:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rvLyQ-0007j0-Kf; Fri, 12 Apr 2024 18:50:06 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rvLyO-0007ia-ES for kernel-team@lists.ubuntu.com; Fri, 12 Apr 2024 18:50:04 +0000 Received: from mail-il1-f197.google.com (mail-il1-f197.google.com [209.85.166.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 43A693F17B for ; Fri, 12 Apr 2024 18:50:04 +0000 (UTC) Received: by mail-il1-f197.google.com with SMTP id e9e14a558f8ab-36a3d87a7d9so13084895ab.0 for ; Fri, 12 Apr 2024 11:50:04 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712947802; x=1713552602; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=HCu4btYnDARRpj9fvHXbGtzs8EEGw4l+cLkJ1gbdcbU=; b=Wdjz3XkYc/nUvfUZzU2fGsjhUR+YzEgN0DxVESyX1xttynPGVVr4Z/fNrEy3cex4Rz TGNfUHmY4QL9UDAQhuHkhovxB9JvQqgEjgax487rF95w3aGi+yx1M/ZmSbefywvSC6vh lm332hUH7cDonTXB0J8KJh8Tk49fxZT9+aXkmku40v8wlShDqADh2XvMApCZgpvh3FGn V4RYEzTVJw6hhZr6F5iJkssnAg1aUg/BaFgUBfJgC77d/xOS5hFQqZyibAcgqDmy24wv LoaFO2UtTrx7e2MUvTcuhDYWlubLk9Ds4ySNYeVGIZet6uaodJe0QgiGylWG3Y3uuBs/ 2xZg== X-Gm-Message-State: AOJu0YxBXEvD1SXnAQV2Hhg078Cz+BAUIXpJYX3zQsEmgQY9ya7sbw4H TSpT43543R+PsdnlkQ7XH6kO56T5tOqqr2RIQXn2AF4LO8p7qygnnXBrU9XmqfD8bs9JDbVJIFh OlkNsaIxuvptdFd1iW5istPJKGQVYn3fJ3WzG87OFPtXgOTZVbJTzJpYFIa70AIxUGVj+eYdYGI LkvUZa42FpKA== X-Received: by 2002:a05:6e02:16c8:b0:36a:27a4:da76 with SMTP id 8-20020a056e0216c800b0036a27a4da76mr4079174ilx.9.1712947802679; Fri, 12 Apr 2024 11:50:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHk3zanOV1UckBfThq9HkbKFKEeN1wAABH1CsmTi+wq2/3ys6NFTVBR8WZzpzEJG37nndKINg== X-Received: by 2002:a05:6e02:16c8:b0:36a:27a4:da76 with SMTP id 8-20020a056e0216c800b0036a27a4da76mr4079159ilx.9.1712947802305; Fri, 12 Apr 2024 11:50:02 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id n16-20020a056638265000b004829fa50273sm1208462jat.161.2024.04.12.11.50.01 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 12 Apr 2024 11:50:01 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M 0/4, J 0/1] CVE-2024-26809 Date: Fri, 12 Apr 2024 13:49:55 -0500 Message-Id: <20240412185000.22195-1-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: release elements in clone only from destroy path Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice. This fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") which came after: 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path"). [Fix] Mantic: Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb was already in stable. Jammy: Clean cherry-pick. Commit 212ed75dc5fb was already in stable. Focal: not-affected Bionic: not-affected Xenial: not-affected Trusty: not-affected [Test Case] Compile and boot tested. [Where problems could occur] This fix affects those who use netfilter, specifically pipapo (pile packet polices), an issue with this fix would be visable via a memory leak or a system crash. Florian Westphal (3): netfilter: nft_set_pipapo: store index in scratch maps netfilter: nft_set_pipapo: add helper to release pcpu scratch area netfilter: nft_set_pipapo: remove scratch_aligned pointer Pablo Neira Ayuso (1): netfilter: nft_set_pipapo: release elements in clone only from destroy path net/netfilter/nft_set_pipapo.c | 113 ++++++++++++++-------------- net/netfilter/nft_set_pipapo.h | 18 +++-- net/netfilter/nft_set_pipapo_avx2.c | 17 ++--- 3 files changed, 76 insertions(+), 72 deletions(-) Acked-by: Andrei Gherzan Acked-by: Tim Gardner