UNAPPPLIED Re: [SRU][OEM-6.1][PATCH 0/1] CVE-2023-6111

Timo Aaltonen tjaalton at ubuntu.com
Mon Nov 20 08:42:33 UTC 2023 

Yuxuan Luo kirjoitti 16.11.2023 klo 23.35:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
> 
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: remove catchall element in GC sync path”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
> 
> nft_setelem_catchall_remove(): keep the elem->priv line.
> 
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
> 
> [Test]
> Boot and smoke tested.
> 
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
> 
> Pablo Neira Ayuso (1):
>    netfilter: nf_tables: remove catchall element in GC sync path
> 
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
> 

/build/jammy/net/netfilter/nf_tables_api.c: In function 
'nft_trans_gc_catchall':
/build/jammy/net/netfilter/nf_tables_api.c:9301:71: error: passing 
argument 3 of 'nft_setelem_data_deactivate' from incompatible pointer 
type [-Werror=incompatible-pointer-types]
  9301 |                         nft_setelem_data_deactivate(gc->net, 
gc->set, elem_priv);
       | 
       ^~~~~~~~~
       | 
       |
       | 
       struct nft_elem_priv *
/build/jammy/net/netfilter/nf_tables_api.c:6710:55: note: expected 
'struct nft_set_elem *' but argument is of type 'struct nft_elem_priv *'
  6710 |                                  struct nft_set_elem *elem)
       |                                  ~~~~~~~~~~~~~~~~~~~~~^~~~


also, now that I had a closer look at the patch, your note about the 
prerequisite commit is wrong, sha is probably right but shortlog is the 
same as for this patch.. I assume you meant "netfilter: nf_tables: 
shrink memory consumption of set elements"?


-- 
t

More information about the kernel-team mailing list