ACK: [SRU][Jammy/Mantic][PATCH 0/1] CVE-2023-6111
Manuel Diewald
manuel.diewald at canonical.com
Wed Dec 6 11:56:17 UTC 2023
On Tue, Dec 05, 2023 at 03:51:11PM -0500, Yuxuan Luo wrote:
> This patch has already been sent for OEM-6.1. However, since the break
> commit has been backported to upstream stable, Jammy and Mantic are now
> vulnerable.
>
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
>
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
>
> nft_setelem_catchall_remove(): keep the elem->priv line.
>
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
>
> [Test]
> Boot and smoke tested.
>
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
>
> Pablo Neira Ayuso (1):
> netfilter: nf_tables: remove catchall element in GC sync path
>
> net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
> 1 file changed, 17 insertions(+), 5 deletions(-)
>
> --
> 2.34.1
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team
Acked-by: Manuel Diewald <manuel.diewald at canonical.com>
--
Manuel
More information about the kernel-team
mailing list