NACK/Cmnt: [PATCH 0/8 v2][B/F/G/OEM-5.6/OEM-5.10 v3] CVE-2021-29650: xtables membarrier DoS
Tim Gardner
tim.gardner at canonical.com
Fri Apr 9 12:50:57 UTC 2021
On 4/9/21 6:14 AM, Stefan Bader wrote:
> On 08.04.21 20:40, Tim Gardner wrote:
>> v2 - Update Groovy patches. Add Focal, OEM-5.10
>> v3 - Embed release name in patch subject.
>>
>> [SRU Justification]
>>
>> An issue was discovered in the Linux kernel before 5.11.11. The netfilter
>> subsystem allows attackers to cause a denial of service (panic) because
>> net/netfilter/x_tables.c and include/linux/netfilter/x_tables.h lack a
>> full memory barrier upon the assignment of a new table value, aka
>> CID-175e476b8cdf.
>>
>> This DOS has existed since v3.0. It was partially mitigated by
>> cc00bcaa589914096edef7fb87ca5cee4a166b5c ("netfilter: x_tables: Switch
>> synchronization to RCU") in v5.10, but was then reverted in v5.12
>> which restored the
>> full DOS vulnerability. Hence the fix commit
>> 175e476b8cdf2a4de7432583b49c871345e4f8a1
>> in v5.12.
>>
>> Focal, Groovy, and OEM-5.6 required (Revert "netfilter: x_tables: Switch
>> synchronization to RCU") in order to cleanly apply "netfilter:
>> x_tables: Use correct
>> memory barriers.".
>>
>> [Test Plan]
>> None - this one is quite difficult to reproduce. It was tested on a 4
>> core MIPS.
>>
>> [Where problems could occur]
>> At most this patch might introduce a performance reduction, though
>> upstream testing has not been able to detect any. Upstream seems
>> confident that reverting the RCU patch and applying the write barrier
>> patch was the right thing to do.
>>
>> [Other Info]
>> None
>>
>> When looking at upstream, this seems to require 2 reverts. The second
>> being a
> fixup for the RCU one:
>
> commit abe7034b9a8d57737e80cc16d60ed3666990bdbf
> Author: Mark Tomlinson <mark.tomlinson at alliedtelesis.co.nz>
> Date: Mon Mar 8 14:24:11 2021 +1300
>
> Revert "netfilter: x_tables: Update remaining dereference to RCU"
>
> This reverts commit 443d6e86f821a165fae3fc3fc13086d27ac140b1.
>
I wasn't sure about that since it wasn't strictly required. V3 on the way.
rtg
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list