[SRU Jammy, OEM-6.0, OEM-6.1, Lunar] CVE-2023-4244
Cengiz Can
cengiz.can at canonical.com
Sat Sep 16 00:48:10 UTC 2023
[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
component can be exploited to achieve local privilege escalation. Due to a race
condition between nf_tables netlink control plane transaction and nft_set
element garbage collection, it is possible to underflow the reference counter
causing a use-after-free vulnerability. We recommend upgrading past commit
3e91b0ebd994635df2346353322ac51ce84ce6d8.
[Fix]
This was a mess. First CVE-2023-4563 was announced with no information. Then
someone pointed out to two threads in netdev trees that are possibly fixing the
issue. Initially 5 commits were included in the fix. Then another one came. Then
came 7 Fixes commits to those commits. Thus, applying those to our trees was not
easy.
While I was doing that, CVE-2023-4563 disappaered from CNA websites and
CVE-2023-4244 was announced. It came with a subset of those fix commits but
obviously Fixes commits and prerequisites were still needed. So I kept my
progress and changed my tags to indicate CVE-2023-4244 instead.
These are the Fix commits that I extracted from merge:
- 24138933b97b ("netfilter: nf_tables: don't skip expired elements during walk")
- 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
- f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
- c92db3030492 ("netfilter: nft_set_hash: mark set element as dead when deleting from packet path")
- a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API")
- 23185c6aed1f ("netfilter: nft_dynset: disallow object maps")
These are the Fixes to those fix commits:
- 7845914f45f0 ("netfilter: nf_tables: don't fail inserts if duplicate has expired")
- 08713cb006b6 ("netfilter: nf_tables: fix kdoc warnings after gc rework")
- 6a33d8b73dfa ("netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path")
- 02c6c24402bf ("netfilter: nf_tables: GC transaction race with netns dismantle")
- 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
- 8357bc946a2a ("netfilter: nf_tables: use correct lock to protect gc_list")
- 8e51830e29e1 ("netfilter: nf_tables: defer gc run if previous batch is still pending")
The rest are there to massage those to allow cleaner picks.
[Test case]
Compile, boot and nftables test suite tested.
This is the testing formula that was used:
```
sudo apt update && sudo apt install -y build-essential autoconf libtool bison flex libgmp3-dev libedit-dev pkg-config
git clone --depth=1 git://git.netfilter.org/libmnl
cd libmnl
sh autogen.sh
./configure
make -j8
sudo make install
cd ~
git clone --depth=1 git://git.netfilter.org/libnftnl
cd libnftnl
sh autogen.sh
./configure
make -j8
sudo make install
cd ~
git clone --depth=1 git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure --disable-man-doc
make -j8
cd tests/shell/
./run_tests.sh
```
Test results were always better with the patches, but never 100%.
Lunar:
unpatched: I: results: [OK] 335 [SKIPPED] 17 [FAILED] 21 [TOTAL] 373
patched: I: results: [OK] 340 [SKIPPED] 16 [FAILED] 17 [TOTAL] 373
OEM-6.1 (installed to jammy)
unpatched: I: results: [OK] 204 [SKIPPED] 11 [FAILED] 158 [TOTAL] 373
patched: I: results: [OK] 209 [SKIPPED] 11 [FAILED] 153 [TOTAL] 373
OEM-6.0 (installed to jammy)
unpatched: I: results: [OK] 200 [SKIPPED] 11 [FAILED] 162 [TOTAL] 373
patched: I: results: [OK] 209 [SKIPPED] 11 [FAILED] 153 [TOTAL] 373
Jammy 5.15
unpatched: I: results: [OK] 202 [SKIPPED] 11 [FAILED] 160 [TOTAL] 373
patched: I: results: [OK] 207 [SKIPPED] 11 [FAILED] 155 [TOTAL] 373
[Potential regression]
Medium regression potential. Many of those commits are clean cherry picks but I
had to adjust and backport 5f68718b34a5 ("netfilter: nf_tables: GC transaction
API to avoid race with control plane") to anything older than 6.2 because it's
extremely hard to backport commit f80a612dd77c ("netfilter: nf_tables: add
support to destroy operation") to older kernels.
Florian Westphal (6):
netfilter: nf_tables: don't skip expired elements during walk
netfilter: nft_set_rbtree: fix null deref on element insertion
netfilter: nft_set_rbtree: fix overlap expiration walk
netfilter: nf_tables: don't fail inserts if duplicate has expired
netfilter: nf_tables: fix kdoc warnings after gc rework
netfilter: nf_tables: defer gc run if previous batch is still pending
Pablo Neira Ayuso (19):
netfilter: nf_tables: consolidate set description
netfilter: nf_tables: add function to create set stateful expressions
netfilter: nf_tables: perform type checking for existing sets
netfilter: nf_tables: do not set up extensions for end interval
netfilter: nf_tables: honor set timeout and garbage collection updates
netfilter: nf_tables: integrate pipapo into commit protocol
netfilter: nf_tables: validate catch-all set elements
netfilter: nf_tables: drop map element references from preparation
phase
netfilter: nf_tables: GC transaction API to avoid race with control
plane
netfilter: nft_set_rbtree: Switch to node list walk for overlap
detection
netfilter: nft_set_rbtree: skip elements in transaction from garbage
collection
netfilter: nf_tables: adapt set backend to use GC transaction API
netfilter: nft_set_hash: mark set element as dead when deleting from
packet path
netfilter: nf_tables: remove busy mark and gc batch API
netfilter: nf_tables: fix GC transaction races with netns and netlink
event exit path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nf_tables: GC transaction race with abort path
netfilter: nf_tables: use correct lock to protect gc_list
netfilter: nft_dynset: disallow object maps
include/net/netfilter/nf_tables.h | 164 +++---
net/netfilter/nf_tables_api.c | 860 ++++++++++++++++++++++++------
net/netfilter/nft_dynset.c | 3 +
net/netfilter/nft_lookup.c | 36 +-
net/netfilter/nft_set_bitmap.c | 5 +-
net/netfilter/nft_set_hash.c | 111 ++--
net/netfilter/nft_set_pipapo.c | 138 +++--
net/netfilter/nft_set_rbtree.c | 466 ++++++++++------
8 files changed, 1249 insertions(+), 534 deletions(-)
--
2.39.2
More information about the kernel-team
mailing list