[SRU Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/1] CVE-2023-3610

Cengiz Can cengiz.can at canonical.com
Sat Jul 22 20:43:35 UTC 2023

A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
component can be exploited to achieve local privilege escalation. Flaw in the
error handling of bound chains causes a use-after-free in the abort path of
NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. 

Commits picked from either stable or upstream. The ones that are marked as
backports only differ in contexts, specifically in nf_tables.h.

[Test case]
Tested with test suites that ship with following repositories:

- git://git.netfilter.org/iptables
- git://git.netfilter.org/nftables

Test results:

- iptables/tests/run_tests.sh produced exact same results with or without the 
- nftables/tests/shell/run_tests.sh produced similar results with or without the
patch. (kinetic produces 1 fewer Failure with the patch).

[Potential regression]
All users who use netfilter rules might be affected.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: fix chain binding transaction logic

 include/net/netfilter/nf_tables.h | 21 +++++++-
 net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
 net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
 3 files changed, 153 insertions(+), 41 deletions(-)


More information about the kernel-team mailing list