From patchwork Fri Feb 9 21:11:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1897221 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TWmkm3ZKJz23hf for ; Sat, 10 Feb 2024 08:12:00 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rYYA5-0001B2-2p; Fri, 09 Feb 2024 21:11:53 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rYY9g-00019m-LD for kernel-team@lists.ubuntu.com; Fri, 09 Feb 2024 21:11:32 +0000 Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com [209.85.219.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 44BDF3F131 for ; Fri, 9 Feb 2024 21:11:28 +0000 (UTC) Received: by mail-qv1-f72.google.com with SMTP id 6a1803df08f44-68c52361422so19424336d6.3 for ; Fri, 09 Feb 2024 13:11:28 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707513087; x=1708117887; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lghd3LMTdYlVB+hoonP8lczmd8B4mU2Vrc1V+76qSn8=; b=pS9FxjV7zkh1Uk5zh6I6R1ieEzGgfZsEySoP3Ac/63VQvuNHnaxi7x7iHxvSbwxs0l 7D+WsVmcVJG7BZlVU90kifT1whP/DoSA0m6n+nFVGi9aBTxu5AKmc/m56uIqak3+gY0S VXYSULx9SR4g4T6jaQBuZXIe/unFtVGKfj0bgagNc9mJPdLf7F4E+7rpkT8SkW++tBdK y0/uitytz38C7ZZLOrir2rIBIQv/a94Nxgg40P+fb5pxrhzGUvhIGFldhWCpSV6OsaRQ nDoIhNo/L59NK8oQKdibV/ylJL0p4t+VjemZsSzEkOOAQTJqGWE30NzqDVDzRRzyqQP0 zj4Q== X-Gm-Message-State: AOJu0Yxw+BLgJFsby5mPyNCyUSFDWJnuTpvXQiHcKH/9XIRVoEjJ5ZS5 9iIm1q9BgbdlhYcp6ryv41MqEHAeEO63YTtxfLcYWSv8d8QQ+QhZpCHZ1d5IwoTD7Zs6mUG+Nj7 HEkozV3PV2s6Ekkj1lPJzfNcU33/wyfJPRf3UG4VT9Wo46ClWposKy+s0UTKcbRQxTE6YJYIsbf gQHVpXKRkqyg== X-Received: by 2002:a0c:f050:0:b0:68c:3f60:f09a with SMTP id b16-20020a0cf050000000b0068c3f60f09amr306415qvl.47.1707513087022; Fri, 09 Feb 2024 13:11:27 -0800 (PST) X-Google-Smtp-Source: AGHT+IHpxVwia5H/P83JjaAJHTeQEoXA6X75Z0WTshcIwxvAJ58A/CuH1ynl1pso/yunPI54Lvx/Dw== X-Received: by 2002:a0c:f050:0:b0:68c:3f60:f09a with SMTP id b16-20020a0cf050000000b0068c3f60f09amr306401qvl.47.1707513086683; Fri, 09 Feb 2024 13:11:26 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id mv7-20020a056214338700b00686965d4be0sm1171080qvb.90.2024.02.09.13.11.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Feb 2024 13:11:26 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Jammy][Focal][PATCH 0/1] CVE-2024-1086 Date: Fri, 9 Feb 2024 15:11:23 -0600 Message-Id: <20240209211125.56995-1-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. [Fix] Mantic: Clean cherry-pick. Jammy: Mantic patch applied cleanly. Focal: Backported - There was a context merge conflict because upstream has updated the fallthrough in the switch from implicit to explicit, but the fix commit removes the switch entirely. I accepted the incoming changes from the fix commit as given. [Test Case] Compile and boot tested. [Regression Potential] Issues could occur when running nft_verdict_init(). Florian Westphal (1): netfilter: nf_tables: reject QUEUE/DROP verdict parameters net/netfilter/nf_tables_api.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) Acked-by: Stefan Bader Acked-by: Roxana Nicolescu