ACK/Cmnt: [SRU Jammy, OEM-6.0, OEM-6.1, Lunar] CVE-2023-4244

Stefan Bader stefan.bader at canonical.com
Fri Sep 22 09:11:31 UTC 2023 

On 16.09.23 02:48, Cengiz Can wrote:
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation. Due to a race
> condition between nf_tables netlink control plane transaction and nft_set
> element garbage collection, it is possible to underflow the reference counter
> causing a use-after-free vulnerability. We recommend upgrading past commit
> 3e91b0ebd994635df2346353322ac51ce84ce6d8.
> 
> [Fix]
> This was a mess. First CVE-2023-4563 was announced with no information. Then
> someone pointed out to two threads in netdev trees that are possibly fixing the
> issue. Initially 5 commits were included in the fix. Then another one came. Then
> came 7 Fixes commits to those commits. Thus, applying those to our trees was not
> easy.
> 
> While I was doing that, CVE-2023-4563 disappaered from CNA websites and
> CVE-2023-4244 was announced. It came with a subset of those fix commits but
> obviously Fixes commits and prerequisites were still needed. So I kept my
> progress and changed my tags to indicate CVE-2023-4244 instead.
> 
> These are the Fix commits that I extracted from merge:
> 
> - 24138933b97b ("netfilter: nf_tables: don't skip expired elements during walk")
> - 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
> - f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
> - c92db3030492 ("netfilter: nft_set_hash: mark set element as dead when deleting from packet path")
> - a2dd0233cbc4 ("netfilter: nf_tables: remove busy mark and gc batch API")
> - 23185c6aed1f ("netfilter: nft_dynset: disallow object maps")
> 
> These are the Fixes to those fix commits:
> 
> - 7845914f45f0 ("netfilter: nf_tables: don't fail inserts if duplicate has expired")
> - 08713cb006b6 ("netfilter: nf_tables: fix kdoc warnings after gc rework")
> - 6a33d8b73dfa ("netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path")
> - 02c6c24402bf ("netfilter: nf_tables: GC transaction race with netns dismantle")
> - 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
> - 8357bc946a2a ("netfilter: nf_tables: use correct lock to protect gc_list")
> - 8e51830e29e1 ("netfilter: nf_tables: defer gc run if previous batch is still pending")
> 
> The rest are there to massage those to allow cleaner picks.
> 
> [Test case]
> Compile, boot and nftables test suite tested.
> 
> This is the testing formula that was used:
> 
> ```
> sudo apt update && sudo apt install -y build-essential autoconf libtool bison flex libgmp3-dev libedit-dev pkg-config
> 
> git clone --depth=1 git://git.netfilter.org/libmnl
> cd libmnl
> sh autogen.sh
> ./configure
> make -j8
> sudo make install
> cd ~
> 
> git clone --depth=1  git://git.netfilter.org/libnftnl
> cd libnftnl
> sh autogen.sh
> ./configure
> make -j8
> sudo make install
> cd ~
> 
> git clone --depth=1  git://git.netfilter.org/nftables
> cd nftables
> sh autogen.sh
> ./configure --disable-man-doc
> make -j8
> cd tests/shell/
> ./run_tests.sh
> ```
> 
> Test results were always better with the patches, but never 100%.
> 
> Lunar:
> unpatched: I: results: [OK] 335 [SKIPPED] 17 [FAILED] 21 [TOTAL] 373
> patched:   I: results: [OK] 340 [SKIPPED] 16 [FAILED] 17 [TOTAL] 373
> 
> OEM-6.1 (installed to jammy)
> unpatched: I: results: [OK] 204 [SKIPPED] 11 [FAILED] 158 [TOTAL] 373
> patched:   I: results: [OK] 209 [SKIPPED] 11 [FAILED] 153 [TOTAL] 373
> 
> OEM-6.0 (installed to jammy)
> unpatched: I: results: [OK] 200 [SKIPPED] 11 [FAILED] 162 [TOTAL] 373
> patched:   I: results: [OK] 209 [SKIPPED] 11 [FAILED] 153 [TOTAL] 373
> 
> Jammy 5.15
> unpatched: I: results: [OK] 202 [SKIPPED] 11 [FAILED] 160 [TOTAL] 373
> patched:   I: results: [OK] 207 [SKIPPED] 11 [FAILED] 155 [TOTAL] 373
> 
> [Potential regression]
> Medium regression potential. Many of those commits are clean cherry picks but I
> had to adjust and backport 5f68718b34a5 ("netfilter: nf_tables: GC transaction
> API to avoid race with control plane") to anything older than 6.2 because it's
> extremely hard to backport commit f80a612dd77c ("netfilter: nf_tables: add
> support to destroy operation") to older kernels.
> 
> Florian Westphal (6):
>    netfilter: nf_tables: don't skip expired elements during walk
>    netfilter: nft_set_rbtree: fix null deref on element insertion
>    netfilter: nft_set_rbtree: fix overlap expiration walk
>    netfilter: nf_tables: don't fail inserts if duplicate has expired
>    netfilter: nf_tables: fix kdoc warnings after gc rework
>    netfilter: nf_tables: defer gc run if previous batch is still pending
> 
> Pablo Neira Ayuso (19):
>    netfilter: nf_tables: consolidate set description
>    netfilter: nf_tables: add function to create set stateful expressions
>    netfilter: nf_tables: perform type checking for existing sets
>    netfilter: nf_tables: do not set up extensions for end interval
>    netfilter: nf_tables: honor set timeout and garbage collection updates
>    netfilter: nf_tables: integrate pipapo into commit protocol
>    netfilter: nf_tables: validate catch-all set elements
>    netfilter: nf_tables: drop map element references from preparation
>      phase
>    netfilter: nf_tables: GC transaction API to avoid race with control
>      plane
>    netfilter: nft_set_rbtree: Switch to node list walk for overlap
>      detection
>    netfilter: nft_set_rbtree: skip elements in transaction from garbage
>      collection
>    netfilter: nf_tables: adapt set backend to use GC transaction API
>    netfilter: nft_set_hash: mark set element as dead when deleting from
>      packet path
>    netfilter: nf_tables: remove busy mark and gc batch API
>    netfilter: nf_tables: fix GC transaction races with netns and netlink
>      event exit path
>    netfilter: nf_tables: GC transaction race with netns dismantle
>    netfilter: nf_tables: GC transaction race with abort path
>    netfilter: nf_tables: use correct lock to protect gc_list
>    netfilter: nft_dynset: disallow object maps
> 
>   include/net/netfilter/nf_tables.h | 164 +++---
>   net/netfilter/nf_tables_api.c     | 860 ++++++++++++++++++++++++------
>   net/netfilter/nft_dynset.c        |   3 +
>   net/netfilter/nft_lookup.c        |  36 +-
>   net/netfilter/nft_set_bitmap.c    |   5 +-
>   net/netfilter/nft_set_hash.c      | 111 ++--
>   net/netfilter/nft_set_pipapo.c    | 138 +++--
>   net/netfilter/nft_set_rbtree.c    | 466 ++++++++++------
>   8 files changed, 1249 insertions(+), 534 deletions(-)
> 

This will also be a challenge when applying. I hope saving somehow 
maintains relative order... Generally I think with complicated things 
like this I would make the OEM kernels a separate submission. Mainly 
because they usually do not get upstream stable patches and thus have a 
good chance to be radically different than the distro kernels.

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230922/9d786bd6/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230922/9d786bd6/attachment-0001.sig>

More information about the kernel-team mailing list