| Message ID | 20230510192739.609041-1-cascardo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-32233 | expand |
Acked-by: Ian May <ian.may@canonical.com> On 2023-05-10 16:27:38 , Thadeu Lima de Souza Cascardo wrote: > [Impact] > On systems where user namespaces can be created by unprivileged users, > which is the default configuration on Ubuntu, unprivileged users can > trigger a use-after-free vulnerability on netfilter. This could be used to > crash the system or elevate privileges. > > [Test case] > A PoC that crashes the system was tested and the fix has been shown to > prevent it. > > [Backport] > The fix applies cleanly all the way back to 5.4 kernels. A backport to 4.15 > is in the works. > > [Potential impact] > netfilter users may find regressions when manipulating nftables. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: deactivate anonymous set from preparation phase > > include/net/netfilter/nf_tables.h | 1 + > net/netfilter/nf_tables_api.c | 12 ++++++++++++ > net/netfilter/nft_dynset.c | 2 +- > net/netfilter/nft_lookup.c | 2 +- > net/netfilter/nft_objref.c | 2 +- > 5 files changed, 16 insertions(+), 3 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
On Wed, May 10, 2023 at 04:27:38PM -0300, Thadeu Lima de Souza Cascardo wrote: > [Impact] > On systems where user namespaces can be created by unprivileged users, > which is the default configuration on Ubuntu, unprivileged users can > trigger a use-after-free vulnerability on netfilter. This could be used to > crash the system or elevate privileges. > > [Test case] > A PoC that crashes the system was tested and the fix has been shown to > prevent it. > > [Backport] > The fix applies cleanly all the way back to 5.4 kernels. A backport to 4.15 > is in the works. > > [Potential impact] > netfilter users may find regressions when manipulating nftables. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: deactivate anonymous set from preparation phase > > include/net/netfilter/nf_tables.h | 1 + > net/netfilter/nf_tables_api.c | 12 ++++++++++++ > net/netfilter/nft_dynset.c | 2 +- > net/netfilter/nft_lookup.c | 2 +- > net/netfilter/nft_objref.c | 2 +- > 5 files changed, 16 insertions(+), 3 deletions(-) > > -- > 2.34.1 Acked-by: Cory Todd <cory.todd@canonical.com>
Applied to lunar, kinetic, jammy, focal linux master-next Thanks, - Luke On Wed, May 10, 2023 at 9:29 PM Thadeu Lima de Souza Cascardo < cascardo@canonical.com> wrote: > [Impact] > On systems where user namespaces can be created by unprivileged users, > which is the default configuration on Ubuntu, unprivileged users can > trigger a use-after-free vulnerability on netfilter. This could be used to > crash the system or elevate privileges. > > [Test case] > A PoC that crashes the system was tested and the fix has been shown to > prevent it. > > [Backport] > The fix applies cleanly all the way back to 5.4 kernels. A backport to 4.15 > is in the works. > > [Potential impact] > netfilter users may find regressions when manipulating nftables. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: deactivate anonymous set from preparation phase > > include/net/netfilter/nf_tables.h | 1 + > net/netfilter/nf_tables_api.c | 12 ++++++++++++ > net/netfilter/nft_dynset.c | 2 +- > net/netfilter/nft_lookup.c | 2 +- > net/netfilter/nft_objref.c | 2 +- > 5 files changed, 16 insertions(+), 3 deletions(-) > > -- > 2.34.1 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team >
Thadeu Lima de Souza Cascardo kirjoitti 10.5.2023 klo 22.27: > [Impact] > On systems where user namespaces can be created by unprivileged users, > which is the default configuration on Ubuntu, unprivileged users can > trigger a use-after-free vulnerability on netfilter. This could be used to > crash the system or elevate privileges. > > [Test case] > A PoC that crashes the system was tested and the fix has been shown to > prevent it. > > [Backport] > The fix applies cleanly all the way back to 5.4 kernels. A backport to 4.15 > is in the works. > > [Potential impact] > netfilter users may find regressions when manipulating nftables. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: deactivate anonymous set from preparation phase > > include/net/netfilter/nf_tables.h | 1 + > net/netfilter/nf_tables_api.c | 12 ++++++++++++ > net/netfilter/nft_dynset.c | 2 +- > net/netfilter/nft_lookup.c | 2 +- > net/netfilter/nft_objref.c | 2 +- > 5 files changed, 16 insertions(+), 3 deletions(-) > applied to oem kernels, thanks