| Message ID | 20231026130554.248615-1-magali.lemes@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2023-39192 | expand |
On 26.10.23 15:05, Magali Lemes wrote: > [Impact] > A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 > module did not validate the fields in the xt_u32 structure. This flaw allows a > local privileged attacker to trigger an out-of-bounds read by setting the size > fields with a value beyond the array boundaries, leading to a crash or > information disclosure. > > [Backport] > Clean cherry-pick. > > [Test] > Compile, boot and smoke tested on a VM: > ``` > # Log any echo reply message. u32 language is explained in the iptables-extensions manpage. > (vm) $ sudo iptables -A OUTPUT -m u32 --u32 "6 & 0xFF = 1 && 4 & 0x3FFF = 0 && 0 >> 22 & 0x3C @ 0 >> 24 = 0" -j LOG > > (host) $ ping $VM_IP > > (vm) $ sudo dmesg | tail # here we expect to see some logs > ``` > > [Regression potential] > Limited to the u32 packet matching module. > > Wander Lairson Costa (1): > netfilter: xt_u32: validate user space input > > net/netfilter/xt_u32.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 26/10/2023 15:05, Magali Lemes wrote: > [Impact] > A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 > module did not validate the fields in the xt_u32 structure. This flaw allows a > local privileged attacker to trigger an out-of-bounds read by setting the size > fields with a value beyond the array boundaries, leading to a crash or > information disclosure. > > [Backport] > Clean cherry-pick. > > [Test] > Compile, boot and smoke tested on a VM: > ``` > # Log any echo reply message. u32 language is explained in the iptables-extensions manpage. > (vm) $ sudo iptables -A OUTPUT -m u32 --u32 "6 & 0xFF = 1 && 4 & 0x3FFF = 0 && 0 >> 22 & 0x3C @ 0 >> 24 = 0" -j LOG > > (host) $ ping $VM_IP > > (vm) $ sudo dmesg | tail # here we expect to see some logs > ``` > > [Regression potential] > Limited to the u32 packet matching module. > > Wander Lairson Costa (1): > netfilter: xt_u32: validate user space input > > net/netfilter/xt_u32.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 26/10/2023 15:05, Magali Lemes wrote: > [Impact] > A flaw was found in the Netfilter subsystem in the Linux kernel. The xt_u32 > module did not validate the fields in the xt_u32 structure. This flaw allows a > local privileged attacker to trigger an out-of-bounds read by setting the size > fields with a value beyond the array boundaries, leading to a crash or > information disclosure. > > [Backport] > Clean cherry-pick. > > [Test] > Compile, boot and smoke tested on a VM: > ``` > # Log any echo reply message. u32 language is explained in the iptables-extensions manpage. > (vm) $ sudo iptables -A OUTPUT -m u32 --u32 "6 & 0xFF = 1 && 4 & 0x3FFF = 0 && 0 >> 22 & 0x3C @ 0 >> 24 = 0" -j LOG > > (host) $ ping $VM_IP > > (vm) $ sudo dmesg | tail # here we expect to see some logs > ``` > > [Regression potential] > Limited to the u32 packet matching module. > > Wander Lairson Costa (1): > netfilter: xt_u32: validate user space input > > net/netfilter/xt_u32.c | 21 +++++++++++++++++++++ > 1 file changed, 21 insertions(+) > Applied to f,j,l:master-next. Thanks! Roxana