[SRU Jammy/OEM-5.17/Kinetic/OEM-6.0/Lunar 0/1] CVE-2023-3610

Cengiz Can cengiz.can at canonical.com
Sat Jul 22 20:43:35 UTC 2023


[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
component can be exploited to achieve local privilege escalation. Flaw in the
error handling of bound chains causes a use-after-free in the abort path of
NFT_MSG_NEWRULE. The vulnerability requires CAP_NET_ADMIN to be triggered. We
recommend upgrading past commit 4bedf9eee016286c835e3d8fa981ddece5338795. 

[Fix]
Commits picked from either stable or upstream. The ones that are marked as
backports only differ in contexts, specifically in nf_tables.h.

[Test case]
Tested with test suites that ship with following repositories:

- git://git.netfilter.org/iptables
- git://git.netfilter.org/nftables

Test results:

- iptables/tests/run_tests.sh produced exact same results with or without the 
patch.
- nftables/tests/shell/run_tests.sh produced similar results with or without the
patch. (kinetic produces 1 fewer Failure with the patch).

[Potential regression]
All users who use netfilter rules might be affected.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: fix chain binding transaction logic

 include/net/netfilter/nf_tables.h | 21 +++++++-
 net/netfilter/nf_tables_api.c     | 86 +++++++++++++++++++-----------
 net/netfilter/nft_immediate.c     | 87 +++++++++++++++++++++++++++----
 3 files changed, 153 insertions(+), 41 deletions(-)

-- 
2.39.2




More information about the kernel-team mailing list