ACK: [SRU Focal/Impish/OEM-5.14/Jammy 0/1] CVE-2022-25636

Stefan Bader stefan.bader at canonical.com
Thu Feb 24 07:30:14 UTC 2022


On 22.02.22 18:49, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> As reported at https://www.openwall.com/lists/oss-security/2022/02/21/2,
> a heaps out-of-bound write may be trigerred by an unprivileged user
> using network namespaces and nftables. This can lead to a crash or local
> privilege escalation.
> 
> [Backport]
> 5.4 backport required a conflict fixup because offload_stats is not
> present in struct nft_expr_ops. The fix came from net.git.
> 
> [Test case]
> The reproducer shared at
> https://www.openwall.com/lists/oss-security/2022/02/21/2 was used.
> 
> [Potential regression]
> nftables users would be affected.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables_offload: incorrect flow offload action array size
> 
>   include/net/netfilter/nf_tables.h         |  2 +-
>   include/net/netfilter/nf_tables_offload.h |  2 --
>   net/netfilter/nf_tables_offload.c         |  3 ++-
>   net/netfilter/nft_dup_netdev.c            |  6 ++++++
>   net/netfilter/nft_fwd_netdev.c            |  6 ++++++
>   net/netfilter/nft_immediate.c             | 12 +++++++++++-
>   6 files changed, 26 insertions(+), 5 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220224/11fc8e23/attachment.sig>


More information about the kernel-team mailing list