[SRU][Jammy/Mantic][PATCH 0/1] CVE-2023-6111
Yuxuan Luo
yuxuan.luo at canonical.com
Tue Dec 5 20:51:11 UTC 2023
This patch has already been sent for OEM-6.1. However, since the break
commit has been backported to upstream stable, Jammy and Mantic are now
vulnerable.
[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tables component can be exploited to achieve local privilege
escalation. The function nft_trans_gc_catchall did not remove the
catchall set element from the catchall_list when the argument sync is
true, making it possible to free a catchall set element many times.
[Backport]
There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
nf_tables: shrink memory consumption of set elements”). Since its changes
is not relevant to the fix, ignore it and backport the fix commit.
nft_setelem_catchall_remove(): keep the elem->priv line.
nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
`struct nft_elem_priv *elem_priv;` to keep consistent with the argument
type of nft_setelem_data_deactivate(). Modify the
`nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
[Test]
Boot and smoke tested.
[Potential Regression]
Expect low regression potential that's limited to this specific API.
Pablo Neira Ayuso (1):
netfilter: nf_tables: remove catchall element in GC sync path
net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list