[SRU Bionic 0/5] CVE-2023-32233

Andrei Gherzan andrei.gherzan at canonical.com
Wed May 17 11:16:32 UTC 2023 

On 23/05/17 09:18AM, Stefan Bader wrote:
> On 16.05.23 15:53, Thadeu Lima de Souza Cascardo wrote:
> > [Impact]
> > On systems where user namespaces can be created by unprivileged users,
> > which is the default configuration on Ubuntu, unprivileged users can
> > trigger a use-after-free vulnerability on netfilter. This could be used to
> > crash the system or elevate privileges.
> > 
> > [Test case]
> > A reproducer that causes an oops under slub_debug=FZP was tested and the fix
> > has been shown to prevent it.
> > 
> > [Backport]
> > Picked patches submitted by the maintainer to 4.14 tree.
> > 
> > [Potential impact]
> > netfilter users may find regressions when manipulating nftables.
> > 
> > Florian Westphal (1):
> >    netfilter: nf_tables: split set destruction in deactivate and destroy
> >      phase
> > 
> > Pablo Neira Ayuso (4):
> >    netfilter: nf_tables: unbind set in rule from commit path
> >    netfilter: nf_tables: use-after-free in failing rule with bound set
> >    netfilter: nf_tables: bogus EBUSY when deleting set after flush
> >    netfilter: nf_tables: deactivate anonymous set from preparation phase
> > 
> >   include/net/netfilter/nf_tables.h |  30 ++++++-
> >   net/netfilter/nf_tables_api.c     | 139 +++++++++++++++++++++---------
> >   net/netfilter/nft_dynset.c        |  22 ++++-
> >   net/netfilter/nft_immediate.c     |   6 +-
> >   net/netfilter/nft_lookup.c        |  21 ++++-
> >   net/netfilter/nft_objref.c        |  21 ++++-
> >   6 files changed, 193 insertions(+), 46 deletions(-)
> > 
> 
> All patches seem to miss the cherry pick/backport line. As we probably also
> should start handling bionic like ESM, maybe this should be re-submitted
> with fixed provenance to the ESM list. Not NACKing straight to leave the
> option for alternatives.

I had the same question for Thadeu, as I needed to understand his cover
letter details. The idea is that the patches are from a maintainer
submission against 4.14 that where picked by Thadeu for our 4.15. So
these are not cherry-picked/backported per se, hence not having the
specific footer. 

The only change that Thadeu made was to adapt the maintainer's
"[backport for 4.14 of SHA1]" line to match the autotriage format:
"[Upstream commit SHA1]". 

-- 
Andrei Gherzan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230517/f0bc1c46/attachment.sig>

More information about the kernel-team mailing list