NACK: [PATCH 0/8 v2][B/F/G/OEM-5.6/OEM-5.10 v2] CVE-2021-29650: xtables membarrier DoS
Tim Gardner
tim.gardner at canonical.com
Thu Apr 8 18:35:47 UTC 2021
Forgot to name the patches.
On 4/8/21 11:30 AM, Tim Gardner wrote:
> v2 - Update Groovy patches. Add Focal, OEM-5.10
>
> [SRU Justification]
>
> An issue was discovered in the Linux kernel before 5.11.11. The netfilter
> subsystem allows attackers to cause a denial of service (panic) because
> net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a
> full memory barrier upon the assignment of a new table value, aka CID-175e476b8cdf.
>
> This DOS has existed since v3.0. It was partially mitigated by
> cc00bcaa589914096edef7fb87ca5cee4a166b5c ("netfilter: x_tables: Switch
> synchronization to RCU") in v5.10, but was then reverted in v5.12 which restored the
> full DOS vulnerability. Hence the fix commit 175e476b8cdf2a4de7432583b49c871345e4f8a1
> in v5.12.
>
> Focal, Groovy, and OEM-5.6 required (Revert "netfilter: x_tables: Switch
> synchronization to RCU") in order to cleanly apply "netfilter: x_tables: Use correct
> memory barriers.".
>
> [Test Plan]
> None - this one is quite difficult to reproduce. It was tested on a 4 core MIPS.
>
> [Where problems could occur]
> At most this patch might introduce a performance reduction, though
> upstream testing has not been able to detect any. Upstream seems
> confident that reverting the RCU patch and applying the write barrier
> patch was the right thing to do.
>
> [Other Info]
> None
>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list