ACK/Cmnt: [SRU][M 0/4, J 0/1] CVE-2024-26809

Andrei Gherzan andrei.gherzan at canonical.com
Mon Apr 15 10:51:16 UTC 2024 

On 24/04/12 01:49PM, Bethany Jamison wrote:
> [Impact]
> 
>  In the Linux kernel, the following vulnerability has been resolved:
> 
>  netfilter: nft_set_pipapo: release elements in clone only from destroy path
> 
>  Clone already always provides a current view of the lookup table, use it
>  to destroy the set, otherwise it is possible to destroy elements twice.
> 
>  This fix requires:
> 
>   212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
>  protocol")
> 
>  which came after:
> 
>   9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
>  abort path").
> 
> [Fix]
> 
> Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> 	was already in stable.
> Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.

For the benefit of other reviewers, the prerequisite three commits of
the 9827a0e6e23b fix in Jammy are already included in the repository.

> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use netfilter, specifically pipapo (pile 
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
> 
> Florian Westphal (3):
>   netfilter: nft_set_pipapo: store index in scratch maps
>   netfilter: nft_set_pipapo: add helper to release pcpu scratch area
>   netfilter: nft_set_pipapo: remove scratch_aligned pointer
> 
> Pablo Neira Ayuso (1):
>   netfilter: nft_set_pipapo: release elements in clone only from destroy
>     path
> 
>  net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
>  net/netfilter/nft_set_pipapo.h      |  18 +++--
>  net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
>  3 files changed, 76 insertions(+), 72 deletions(-)

Acked-by: Andrei Gherzan <andrei.gherzan at canonical.com>

-- 
Andrei Gherzan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240415/46ed2276/attachment.sig>

More information about the kernel-team mailing list