[PATCH 0/3][B/G/oem-5.6] CVE-2021-29650: xtables membarrier DoS
Tim Gardner
tim.gardner at canonical.com
Tue Apr 6 14:45:59 UTC 2021
[SRU Justification]
An issue was discovered in the Linux kernel before 5.11.11. The netfilter
subsystem allows attackers to cause a denial of service (panic) because
net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a
full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
This DOS has existed since v3.0. It was partially mitigated by
cc00bcaa589914096edef7fb87ca5cee4a166b5c ("netfilter: x_tables: Switch
synchronization to RCU") in v5.10, but was then reverted in v5.12 which restored the
full DOS vulnerability. Hence the fix commit 175e476b8cdf2a4de7432583b49c871345e4f8a1
in v5.12.
Focal, Hirsute, and oem-5.10 will get this patch via stable updates.
[Test Plan]
None
[Where problems could occur]
Released in stable updates:
linux-4.19.y
linux-5.10.y
linux-5.11.y
linux-5.4.y
At most this patch might introduce a performance reduction, though
upstream testing has not been able to detect any.
[Other Info]
None
More information about the kernel-team
mailing list