| Message ID | 20230918213135.50180-1-yuxuan.luo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-4881 | expand |
On 9/18/23 3:31 PM, Yuxuan Luo wrote: > [Impact] > A stack based out-of-bounds write flaw was found in the netfilter > subsystem in the Linux kernel. If the expression length is a multiple of > 4 (register size), the `nft_exthdr_eval` family of functions writes 4 > NULL bytes past the end of the `regs` argument, leading to stack > corruption and potential information disclosure or a denial of service. > > [Backport] > The fix commit fixes four occurrences introduced by different break > commits. Since not all break commits are present in the Focal tree, some > hunks are ignored and the rest are backported. > For Jammy and Lunar, it is a clean cherry pick. > > [Test] > Only boot test is performed so far, more comprehensive tests will come > in few days. > > [Potential Regression] > The regression should be limited within the modified file. > > Florian Westphal (1): > netfilter: nftables: exthdr: fix 4-byte stack OOB write > > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 18/09/2023 23:31, Yuxuan Luo wrote: > [Impact] > A stack based out-of-bounds write flaw was found in the netfilter > subsystem in the Linux kernel. If the expression length is a multiple of > 4 (register size), the `nft_exthdr_eval` family of functions writes 4 > NULL bytes past the end of the `regs` argument, leading to stack > corruption and potential information disclosure or a denial of service. > > [Backport] > The fix commit fixes four occurrences introduced by different break > commits. Since not all break commits are present in the Focal tree, some > hunks are ignored and the rest are backported. > For Jammy and Lunar, it is a clean cherry pick. > > [Test] > Only boot test is performed so far, more comprehensive tests will come > in few days. > > [Potential Regression] > The regression should be limited within the modified file. > > Florian Westphal (1): > netfilter: nftables: exthdr: fix 4-byte stack OOB write > > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 18/09/2023 23:31, Yuxuan Luo wrote: > [Impact] > A stack based out-of-bounds write flaw was found in the netfilter > subsystem in the Linux kernel. If the expression length is a multiple of > 4 (register size), the `nft_exthdr_eval` family of functions writes 4 > NULL bytes past the end of the `regs` argument, leading to stack > corruption and potential information disclosure or a denial of service. > > [Backport] > The fix commit fixes four occurrences introduced by different break > commits. Since not all break commits are present in the Focal tree, some > hunks are ignored and the rest are backported. > For Jammy and Lunar, it is a clean cherry pick. > > [Test] > Only boot test is performed so far, more comprehensive tests will come > in few days. > > [Potential Regression] > The regression should be limited within the modified file. > > Florian Westphal (1): > netfilter: nftables: exthdr: fix 4-byte stack OOB write > > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > Applied to focal,jammy,lunar:master-next. Thanks! CVE reference was missing in the focal patch. Roxana
This patch also applies to Jammy-OEM-6.1. Sorry for the inconvenience. On 9/20/23 04:39, Roxana Nicolescu wrote: > > On 18/09/2023 23:31, Yuxuan Luo wrote: >> [Impact] >> A stack based out-of-bounds write flaw was found in the netfilter >> subsystem in the Linux kernel. If the expression length is a multiple of >> 4 (register size), the `nft_exthdr_eval` family of functions writes 4 >> NULL bytes past the end of the `regs` argument, leading to stack >> corruption and potential information disclosure or a denial of service. >> >> [Backport] >> The fix commit fixes four occurrences introduced by different break >> commits. Since not all break commits are present in the Focal tree, some >> hunks are ignored and the rest are backported. >> For Jammy and Lunar, it is a clean cherry pick. >> >> [Test] >> Only boot test is performed so far, more comprehensive tests will come >> in few days. >> >> [Potential Regression] >> The regression should be limited within the modified file. >> >> Florian Westphal (1): >> netfilter: nftables: exthdr: fix 4-byte stack OOB write >> >> net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- >> 1 file changed, 14 insertions(+), 8 deletions(-) >> > Applied to focal,jammy,lunar:master-next. Thanks! CVE reference was > missing in the focal patch. > > Roxana >
On 27/09/2023 15:51, Yuxuan Luo wrote: > This patch also applies to Jammy-OEM-6.1. Sorry for the inconvenience. > > On 9/20/23 04:39, Roxana Nicolescu wrote: >> >> On 18/09/2023 23:31, Yuxuan Luo wrote: >>> [Impact] >>> A stack based out-of-bounds write flaw was found in the netfilter >>> subsystem in the Linux kernel. If the expression length is a >>> multiple of >>> 4 (register size), the `nft_exthdr_eval` family of functions writes 4 >>> NULL bytes past the end of the `regs` argument, leading to stack >>> corruption and potential information disclosure or a denial of service. >>> >>> [Backport] >>> The fix commit fixes four occurrences introduced by different break >>> commits. Since not all break commits are present in the Focal tree, >>> some >>> hunks are ignored and the rest are backported. >>> For Jammy and Lunar, it is a clean cherry pick. >>> >>> [Test] >>> Only boot test is performed so far, more comprehensive tests will come >>> in few days. >>> >>> [Potential Regression] >>> The regression should be limited within the modified file. >>> >>> Florian Westphal (1): >>> netfilter: nftables: exthdr: fix 4-byte stack OOB write >>> >>> net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- >>> 1 file changed, 14 insertions(+), 8 deletions(-) >>> >> Applied to focal,jammy,lunar:master-next. Thanks! CVE reference was >> missing in the focal patch. >> >> Roxana >> > Adding Timo as CC.
Yuxuan Luo kirjoitti 19.9.2023 klo 0.31: > [Impact] > A stack based out-of-bounds write flaw was found in the netfilter > subsystem in the Linux kernel. If the expression length is a multiple of > 4 (register size), the `nft_exthdr_eval` family of functions writes 4 > NULL bytes past the end of the `regs` argument, leading to stack > corruption and potential information disclosure or a denial of service. > > [Backport] > The fix commit fixes four occurrences introduced by different break > commits. Since not all break commits are present in the Focal tree, some > hunks are ignored and the rest are backported. > For Jammy and Lunar, it is a clean cherry pick. > > [Test] > Only boot test is performed so far, more comprehensive tests will come > in few days. > > [Potential Regression] > The regression should be limited within the modified file. > > Florian Westphal (1): > netfilter: nftables: exthdr: fix 4-byte stack OOB write > > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > applied to oem-6.1, thanks