[SRU Bionic v2 0/8] CVE-2023-32233

Thadeu Lima de Souza Cascardo cascardo at canonical.com
Fri May 19 19:44:00 UTC 2023 

[Impact]
On systems where user namespaces can be created by unprivileged users,
which is the default configuration on Ubuntu, unprivileged users can
trigger a use-after-free vulnerability on netfilter. This could be used to
crash the system or elevate privileges.

[Test case]
A reproducer that causes an oops under slub_debug=FZP was tested and the fix
has been shown to prevent it.

[Backport]
Compared to the previous one, which was based on a stable submission by the
upstream maintainer yet to be applied to linux-4.14.y at that point.

Picking 408070d6ee3490da63430bc8ce13348cf2eb47ea ("netfilter: nf_tables: add
nft_set_is_anonymous() helper") allowed most of the following commits to be
cherry-picked cleanly from their original upstream SHA1.

8ffcd32f64633926163cdd07a7d295c500a947d1 ("netfilter: nf_tables: bogus EBUSY in
helper removal from transaction") was a missing commit and a reproducer was
created to test that it was indeed necessary.

Commit 40ba1d9b4d19796afc9b7ece872f5f3e8f5e2c13 ("netfilter: nf_tables: fix set
double-free in abort path") was another missing commit, but put together with
6a0a8d10a3661a036b55af695542a714c429ab7c ("netfilter: nf_tables: use-after-free
in failing rule with bound set"), it ended up almost the same as the
linux-4.14.y backport of the latter, with a single line change at
nf_tables_abort_release, which is now closer to the upstream version.

[Potential impact]
netfilter users may find regressions when manipulating nftables.

Florian Westphal (1):
  netfilter: nf_tables: split set destruction in deactivate and destroy
    phase

Pablo Neira Ayuso (7):
  netfilter: nf_tables: add nft_set_is_anonymous() helper
  netfilter: nf_tables: unbind set in rule from commit path
  netfilter: nf_tables: bogus EBUSY in helper removal from transaction
  netfilter: nf_tables: fix set double-free in abort path
  netfilter: nf_tables: bogus EBUSY when deleting set after flush
  netfilter: nf_tables: use-after-free in failing rule with bound set
  netfilter: nf_tables: deactivate anonymous set from preparation phase

 include/net/netfilter/nf_tables.h |  35 +++++++-
 net/netfilter/nf_tables_api.c     | 143 +++++++++++++++++++++---------
 net/netfilter/nft_dynset.c        |  24 ++++-
 net/netfilter/nft_immediate.c     |   6 +-
 net/netfilter/nft_lookup.c        |  21 ++++-
 net/netfilter/nft_objref.c        |  40 ++++++++-
 6 files changed, 216 insertions(+), 53 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list