[SRU,Mantic,Jammy,0/1] CVE-2024-1085

Message ID	20240221190748.53029-1-bethany.jamison@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Bethany Jamison <bethany.jamison@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Jammy][PATCH 0/1] CVE-2024-1085 Date: Wed, 21 Feb 2024 13:07:47 -0600 Message-Id: <20240221190748.53029-1-bethany.jamison@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	CVE-2024-1085 \| expand [SRU,Mantic,Jammy,0/1] CVE-2024-1085 [SRU,Mantic,Jammy,1/1] netfilter: nf_tables: check if catch-all set element is active in next gener…

Message ID

20240221190748.53029-1-bethany.jamison@canonical.com

Headers

From: Bethany Jamison <bethany.jamison@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Mantic][Jammy][PATCH 0/1] CVE-2024-1085
Date: Wed, 21 Feb 2024 13:07:47 -0600
Message-Id: <20240221190748.53029-1-bethany.jamison@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

CVE-2024-1085 | expand

Message

Bethany Jamison Feb. 21, 2024, 7:07 p.m. UTC

[Impact]

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
component can be exploited to achieve local privilege escalation.
The nft_setelem_catchall_deactivate() function checks whether the catch-all
set element is active in the current generation instead of the next
generation before freeing it, but only flags it inactive in the next
generation, making it possible to free the element multiple times, leading
to a double free vulnerability.

[Fix]

Mantic: Clean cherry-pick.
Jammy: Mantic patch applied cleanly.

[Test Case]

Compile and boot tested.

[Regression Potential]

Issues could occur when using netfilter tables when freeing up memory.

pablo Neira Ayuso (1):
  netfilter: nf_tables: check if catch-all set element is active in next
    generation

 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Jose Ogando Feb. 22, 2024, 5:31 a.m. UTC | #1

LGTM

Acked-by: Jose Ogando <jose.ogando@canonical.com>

On Wed, 2024-02-21 at 13:07 -0600, Bethany Jamison wrote:
> [Impact]
> 
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables
> component can be exploited to achieve local privilege escalation.
> The nft_setelem_catchall_deactivate() function checks whether the
> catch-all
> set element is active in the current generation instead of the next
> generation before freeing it, but only flags it inactive in the next
> generation, making it possible to free the element multiple times,
> leading
> to a double free vulnerability.
> 
> [Fix]
> 
> Mantic: Clean cherry-pick.
> Jammy: Mantic patch applied cleanly.
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Regression Potential]
> 
> Issues could occur when using netfilter tables when freeing up
> memory.
> 
> pablo Neira Ayuso (1):
>   netfilter: nf_tables: check if catch-all set element is active in
> next
>     generation
> 
>  net/netfilter/nf_tables_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.34.1
> 
>

Manuel Diewald Feb. 22, 2024, 8:38 a.m. UTC | #2

On Wed, Feb 21, 2024 at 01:07:47PM -0600, Bethany Jamison wrote:
> [Impact]
> 
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation.
> The nft_setelem_catchall_deactivate() function checks whether the catch-all
> set element is active in the current generation instead of the next
> generation before freeing it, but only flags it inactive in the next
> generation, making it possible to free the element multiple times, leading
> to a double free vulnerability.
> 
> [Fix]
> 
> Mantic: Clean cherry-pick.
> Jammy: Mantic patch applied cleanly.
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Regression Potential]
> 
> Issues could occur when using netfilter tables when freeing up memory.
> 
> pablo Neira Ayuso (1):
>   netfilter: nf_tables: check if catch-all set element is active in next
>     generation
> 
>  net/netfilter/nf_tables_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> -- 
> 2.34.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Acked-by: Manuel Diewald <manuel.diewald@canonical.com>

Roxana Nicolescu Feb. 23, 2024, 12:43 p.m. UTC | #3

On 21/02/2024 20:07, Bethany Jamison wrote:
> [Impact]
>
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation.
> The nft_setelem_catchall_deactivate() function checks whether the catch-all
> set element is active in the current generation instead of the next
> generation before freeing it, but only flags it inactive in the next
> generation, making it possible to free the element multiple times, leading
> to a double free vulnerability.
>
> [Fix]
>
> Mantic: Clean cherry-pick.
> Jammy: Mantic patch applied cleanly.
>
> [Test Case]
>
> Compile and boot tested.
>
> [Regression Potential]
>
> Issues could occur when using netfilter tables when freeing up memory.
>
> pablo Neira Ayuso (1):
>    netfilter: nf_tables: check if catch-all set element is active in next
>      generation
>
>   net/netfilter/nf_tables_api.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
Applied to mantic, jammy master-next branches. Thanks!