| Message ID | 20230723014340.284173-1-cengiz.can@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-3610 | expand |
On 22.07.23 22:43, Cengiz Can wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. Flaw in the > error handling of bound chains causes a use-after-free in the abort path of > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We > recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. > > [Fix] > Commits picked from either stable or upstream. The ones that are marked as > backports only differ in contexts, specifically in nf_tables.h. > > [Test case] > Tested with test suites that ship with following repositories: > > - git://git.netfilter.org/iptables > - git://git.netfilter.org/nftables > > Test results: > > - iptables/tests/run_tests.sh produced exact same results with or without the > patch. > - nftables/tests/shell/run_tests.sh produced similar results with or without the > patch. (kinetic produces 1 fewer Failure with the patch). > > [Potential regression] > All users who use netfilter rules might be affected. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: fix chain binding transaction logic > > include/net/netfilter/nf_tables.h | 21 +++++++- > net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- > net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- > 3 files changed, 153 insertions(+), 41 deletions(-) > Occasionally I also see oem-6.1 mentioned. What about that? Also s/Kinetic/HWE-5.19/ for future reference.
On 7/22/23 2:43 PM, Cengiz Can wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. Flaw in the > error handling of bound chains causes a use-after-free in the abort path of > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We > recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. > > [Fix] > Commits picked from either stable or upstream. The ones that are marked as > backports only differ in contexts, specifically in nf_tables.h. > > [Test case] > Tested with test suites that ship with following repositories: > > - git://git.netfilter.org/iptables > - git://git.netfilter.org/nftables > > Test results: > > - iptables/tests/run_tests.sh produced exact same results with or without the > patch. > - nftables/tests/shell/run_tests.sh produced similar results with or without the > patch. (kinetic produces 1 fewer Failure with the patch). > > [Potential regression] > All users who use netfilter rules might be affected. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: fix chain binding transaction logic > > include/net/netfilter/nf_tables.h | 21 +++++++- > net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- > net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- > 3 files changed, 153 insertions(+), 41 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
Stefan Bader kirjoitti 24.7.2023 klo 12.52: > On 22.07.23 22:43, Cengiz Can wrote: >> [Impact] >> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables >> component can be exploited to achieve local privilege escalation. Flaw >> in the >> error handling of bound chains causes a use-after-free in the abort >> path of >> NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be >> triggered. We >> recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. >> >> [Fix] >> Commits picked from either stable or upstream. The ones that are >> marked as >> backports only differ in contexts, specifically in nf_tables.h. >> >> [Test case] >> Tested with test suites that ship with following repositories: >> >> - git://git.netfilter.org/iptables >> - git://git.netfilter.org/nftables >> >> Test results: >> >> - iptables/tests/run_tests.sh produced exact same results with or >> without the >> patch. >> - nftables/tests/shell/run_tests.sh produced similar results with or >> without the >> patch. (kinetic produces 1 fewer Failure with the patch). >> >> [Potential regression] >> All users who use netfilter rules might be affected. >> >> Pablo Neira Ayuso (1): >> netfilter: nf_tables: fix chain binding transaction logic >> >> include/net/netfilter/nf_tables.h | 21 +++++++- >> net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- >> net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- >> 3 files changed, 153 insertions(+), 41 deletions(-) >> > > Occasionally I also see oem-6.1 mentioned. What about that? Also > s/Kinetic/HWE-5.19/ for future reference. This is actually in 6.1 -1018 already via upstream 6.1.36
On Mon, 2023-07-24 at 11:52 +0200, Stefan Bader wrote: > On 22.07.23 22:43, Cengiz Can wrote: > > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: > > nf_tables > > component can be exploited to achieve local privilege escalation. > > Flaw in the > > error handling of bound chains causes a use-after-free in the abort > > path of > > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be > > triggered. We > > recommend upgrading past commit > > 4bedf9eee016286c835e3d8fa981ddece5338795. > > > > [Fix] > > Commits picked from either stable or upstream. The ones that are > > marked as > > backports only differ in contexts, specifically in nf_tables.h. > > > > [Test case] > > Tested with test suites that ship with following repositories: > > > > - git://git.netfilter.org/iptables > > - git://git.netfilter.org/nftables > > > > Test results: > > > > - iptables/tests/run_tests.sh produced exact same results with or > > without the > > patch. > > - nftables/tests/shell/run_tests.sh produced similar results with > > or without the > > patch. (kinetic produces 1 fewer Failure with the patch). > > > > [Potential regression] > > All users who use netfilter rules might be affected. > > > > Pablo Neira Ayuso (1): > > netfilter: nf_tables: fix chain binding transaction logic > > > > include/net/netfilter/nf_tables.h | 21 +++++++- > > net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++------- > > ---- > > net/netfilter/nft_immediate.c | 87 > > +++++++++++++++++++++++++++---- > > 3 files changed, 153 insertions(+), 41 deletions(-) > > > > Occasionally I also see oem-6.1 mentioned. What about that? Also > s/Kinetic/HWE-5.19/ for future reference. Will look into those. Thanks! > > -- > - Stefan >
On 22.07.23 22:43, Cengiz Can wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. Flaw in the > error handling of bound chains causes a use-after-free in the abort path of > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We > recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. > > [Fix] > Commits picked from either stable or upstream. The ones that are marked as > backports only differ in contexts, specifically in nf_tables.h. > > [Test case] > Tested with test suites that ship with following repositories: > > - git://git.netfilter.org/iptables > - git://git.netfilter.org/nftables > > Test results: > > - iptables/tests/run_tests.sh produced exact same results with or without the > patch. > - nftables/tests/shell/run_tests.sh produced similar results with or without the > patch. (kinetic produces 1 fewer Failure with the patch). > > [Potential regression] > All users who use netfilter rules might be affected. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: fix chain binding transaction logic > > include/net/netfilter/nf_tables.h | 21 +++++++- > net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- > net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- > 3 files changed, 153 insertions(+), 41 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 22.07.23 22:43, Cengiz Can wrote: > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. Flaw in the > error handling of bound chains causes a use-after-free in the abort path of > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We > recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. > > [Fix] > Commits picked from either stable or upstream. The ones that are marked as > backports only differ in contexts, specifically in nf_tables.h. > > [Test case] > Tested with test suites that ship with following repositories: > > - git://git.netfilter.org/iptables > - git://git.netfilter.org/nftables > > Test results: > > - iptables/tests/run_tests.sh produced exact same results with or without the > patch. > - nftables/tests/shell/run_tests.sh produced similar results with or without the > patch. (kinetic produces 1 fewer Failure with the patch). > > [Potential regression] > All users who use netfilter rules might be affected. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: fix chain binding transaction logic > > include/net/netfilter/nf_tables.h | 21 +++++++- > net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- > net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- > 3 files changed, 153 insertions(+), 41 deletions(-) > Applied to lunar,jammy:linux/master-next jammy:linux-hwe-5.19/hwe-5.19-next. Thanks. -Stefan
Cengiz Can kirjoitti 22.7.2023 klo 23.43: > [Impact] > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. Flaw in the > error handling of bound chains causes a use-after-free in the abort path of > NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We > recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. > > [Fix] > Commits picked from either stable or upstream. The ones that are marked as > backports only differ in contexts, specifically in nf_tables.h. > > [Test case] > Tested with test suites that ship with following repositories: > > - git://git.netfilter.org/iptables > - git://git.netfilter.org/nftables > > Test results: > > - iptables/tests/run_tests.sh produced exact same results with or without the > patch. > - nftables/tests/shell/run_tests.sh produced similar results with or without the > patch. (kinetic produces 1 fewer Failure with the patch). > > [Potential regression] > All users who use netfilter rules might be affected. > > Pablo Neira Ayuso (1): > netfilter: nf_tables: fix chain binding transaction logic > > include/net/netfilter/nf_tables.h | 21 +++++++- > net/netfilter/nf_tables_api.c | 86 +++++++++++++++++++----------- > net/netfilter/nft_immediate.c | 87 +++++++++++++++++++++++++++---- > 3 files changed, 153 insertions(+), 41 deletions(-) > applied to oem-5.17, -6.0, thanks