| Message ID | 20240209211125.56995-1-bethany.jamison@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2024-1086 | expand |
On 09.02.24 22:11, Bethany Jamison wrote: > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. > The nft_verdict_init() function allows positive values as drop error within > the hook verdict, and hence the nf_hook_slow() function can cause a double > free vulnerability when NF_DROP is issued with a drop error which resembles > NF_ACCEPT. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > Focal: Backported - There was a context merge conflict because upstream has > updated the fallthrough in the switch from implicit to explicit, but the fix > commit removes the switch entirely. I accepted the incoming changes from the > fix commit as given. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur when running nft_verdict_init(). > > Florian Westphal (1): > netfilter: nf_tables: reject QUEUE/DROP verdict parameters > > net/netfilter/nf_tables_api.c | 16 ++++++---------- > 1 file changed, 6 insertions(+), 10 deletions(-) > Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 09/02/2024 22:11, Bethany Jamison wrote: > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. > The nft_verdict_init() function allows positive values as drop error within > the hook verdict, and hence the nf_hook_slow() function can cause a double > free vulnerability when NF_DROP is issued with a drop error which resembles > NF_ACCEPT. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > Focal: Backported - There was a context merge conflict because upstream has > updated the fallthrough in the switch from implicit to explicit, but the fix > commit removes the switch entirely. I accepted the incoming changes from the > fix commit as given. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur when running nft_verdict_init(). > > Florian Westphal (1): > netfilter: nf_tables: reject QUEUE/DROP verdict parameters > > net/netfilter/nf_tables_api.c | 16 ++++++---------- > 1 file changed, 6 insertions(+), 10 deletions(-) > Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 09.02.24 22:11, Bethany Jamison wrote: > [Impact] > > A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables > component can be exploited to achieve local privilege escalation. > The nft_verdict_init() function allows positive values as drop error within > the hook verdict, and hence the nf_hook_slow() function can cause a double > free vulnerability when NF_DROP is issued with a drop error which resembles > NF_ACCEPT. > > [Fix] > > Mantic: Clean cherry-pick. > Jammy: Mantic patch applied cleanly. > Focal: Backported - There was a context merge conflict because upstream has > updated the fallthrough in the switch from implicit to explicit, but the fix > commit removes the switch entirely. I accepted the incoming changes from the > fix commit as given. > > [Test Case] > > Compile and boot tested. > > [Regression Potential] > > Issues could occur when running nft_verdict_init(). > > Florian Westphal (1): > netfilter: nf_tables: reject QUEUE/DROP verdict parameters > > net/netfilter/nf_tables_api.c | 16 ++++++---------- > 1 file changed, 6 insertions(+), 10 deletions(-) > Applied to mantic,jammy,focal:linux/master-next. Thanks. -Stefan