ACK/Cmnt: [PATCH 0/3][B/G/oem-5.6] CVE-2021-29650: xtables membarrier DoS
Stefan Bader
stefan.bader at canonical.com
Thu Apr 8 08:01:26 UTC 2021
On 06.04.21 16:45, Tim Gardner wrote:
> [SRU Justification]
>
> An issue was discovered in the Linux kernel before 5.11.11. The netfilter
> subsystem allows attackers to cause a denial of service (panic) because
> net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a
> full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
>
> This DOS has existed since v3.0. It was partially mitigated by
> cc00bcaa589914096edef7fb87ca5cee4a166b5c ("netfilter: x_tables: Switch
> synchronization to RCU") in v5.10, but was then reverted in v5.12 which restored the
> full DOS vulnerability. Hence the fix commit 175e476b8cdf2a4de7432583b49c871345e4f8a1
> in v5.12.
>
> Focal, Hirsute, and oem-5.10 will get this patch via stable updates.
>
> [Test Plan]
>
> None
>
> [Where problems could occur]
>
> At most this patch might introduce a performance reduction, though
> upstream testing has not been able to detect any.
>
> [Other Info]
> Released in stable updates:
> linux-4.19.y
> linux-5.10.y
> linux-5.11.y
> linux-5.4.y
>
>
For Groovy I was wondering what would happen if the revert of the RCU patches
appears as stable patches. That patch dropped a smp_wmb() call, so if the revert
happens this gets re-introduced. Is there any good way to prevent this?
For the time being:
Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20210408/d2751aca/attachment.sig>
More information about the kernel-team
mailing list