From patchwork Wed May 10 19:27:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Thadeu Lima de Souza Cascardo X-Patchwork-Id: 1779668 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=AcbDMsnO; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QGlSc3mY4z20fl for ; Thu, 11 May 2023 05:28:47 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pwpUN-00008B-Je; Wed, 10 May 2023 19:28:39 +0000 Received: from smtp-relay-canonical-0.internal ([10.131.114.83] helo=smtp-relay-canonical-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pwpUL-000084-Pf for kernel-team@lists.ubuntu.com; Wed, 10 May 2023 19:28:37 +0000 Received: from localhost.localdomain (1.general.cascardo.us.vpn [10.172.70.58]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id B32DB40019 for ; Wed, 10 May 2023 19:28:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1683746917; bh=AIb2hx40mlkGiTs/42Dy2qikuu+L/U/On7japJgOS5U=; h=From:To:Subject:Date:Message-Id:MIME-Version; b=AcbDMsnO2M1co2iU3duhz5G/5Vq9jrWq1i2NB+uZfMCPO/dStqEz1xZ85ziHWB35H CCiKwGtjVgyfRRx6rI2S/2UjCmx/pk4QPheJlfbStWsN7xMNle9kCUkoZD/szRI4uX jAUN3LiYs29MTr6+IbN2BJzvzH8AoS9EHs/6qhjBbI/AhdJASe0iH4nFVghRoKt7Ov 3mRrHiNA0myL+Jfk7GfyuGFSDJ2JGAixa/Y6Zd1E1Q2uYUEFXKdl3Zlx2xs7MZJNZf /LJSeupKqY8znTw25xcpPR38qguAwADQO2iY4H+zZoEdvSE+VDuAf13wWI/LrGP8oj gsNYJgGwDW+DQ== From: Thadeu Lima de Souza Cascardo To: kernel-team@lists.ubuntu.com Subject: [Lunar, OEM-6.1, OEM-6.0, Kinetic, OEM-5.17, Jammy, Focal 0/1] CVE-2023-32233 Date: Wed, 10 May 2023 16:27:38 -0300 Message-Id: <20230510192739.609041-1-cascardo@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] On systems where user namespaces can be created by unprivileged users, which is the default configuration on Ubuntu, unprivileged users can trigger a use-after-free vulnerability on netfilter. This could be used to crash the system or elevate privileges. [Test case] A PoC that crashes the system was tested and the fix has been shown to prevent it. [Backport] The fix applies cleanly all the way back to 5.4 kernels. A backport to 4.15 is in the works. [Potential impact] netfilter users may find regressions when manipulating nftables. Pablo Neira Ayuso (1): netfilter: nf_tables: deactivate anonymous set from preparation phase include/net/netfilter/nf_tables.h | 1 + net/netfilter/nf_tables_api.c | 12 ++++++++++++ net/netfilter/nft_dynset.c | 2 +- net/netfilter/nft_lookup.c | 2 +- net/netfilter/nft_objref.c | 2 +- 5 files changed, 16 insertions(+), 3 deletions(-) Acked-by: Ian May Acked-by: Cory Todd