ACK: [SRU][Jammy/Mantic][PATCH 0/1] CVE-2023-6111

Stefan Bader stefan.bader at canonical.com
Thu Dec 14 14:01:49 UTC 2023 

On 05.12.23 21:51, Yuxuan Luo wrote:
> This patch has already been sent for OEM-6.1. However, since the break
> commit has been backported to upstream stable, Jammy and Mantic are now
> vulnerable.
> 
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
> 
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
> 
> nft_setelem_catchall_remove(): keep the elem->priv line.
> 
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
> 
> [Test]
> Boot and smoke tested.
> 
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: remove catchall element in GC sync path
> 
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231214/c5323b54/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20231214/c5323b54/attachment-0001.sig>

More information about the kernel-team mailing list