NACK/Cmnt[Impish/Focal] [SRU Focal/Impish/OEM-5.14/Jammy 0/1] CVE-2022-25636
Stefan Bader
stefan.bader at canonical.com
Mon Mar 14 10:39:46 UTC 2022
On 22.02.22 18:49, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> As reported at https://www.openwall.com/lists/oss-security/2022/02/21/2,
> a heaps out-of-bound write may be trigerred by an unprivileged user
> using network namespaces and nftables. This can lead to a crash or local
> privilege escalation.
>
> [Backport]
> 5.4 backport required a conflict fixup because offload_stats is not
> present in struct nft_expr_ops. The fix came from net.git.
>
> [Test case]
> The reproducer shared at
> https://www.openwall.com/lists/oss-security/2022/02/21/2 was used.
>
> [Potential regression]
> nftables users would be affected.
>
> Pablo Neira Ayuso (1):
> netfilter: nf_tables_offload: incorrect flow offload action array size
>
> include/net/netfilter/nf_tables.h | 2 +-
> include/net/netfilter/nf_tables_offload.h | 2 --
> net/netfilter/nf_tables_offload.c | 3 ++-
> net/netfilter/nft_dup_netdev.c | 6 ++++++
> net/netfilter/nft_fwd_netdev.c | 6 ++++++
> net/netfilter/nft_immediate.c | 12 +++++++++++-
> 6 files changed, 26 insertions(+), 5 deletions(-)
>
This was already applied and released (5.13.0-33.37 and 5.4.0-103.117) for
Impish and Focal.
-Stefan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220314/88cbff28/attachment.sig>
More information about the kernel-team
mailing list