ACK: [SRU][M 0/4, J 0/1] CVE-2024-26809

[Tim Gardner]

On 4/12/24 12:49 PM, Bethany Jamison wrote:
> [Impact]
> 
>   In the Linux kernel, the following vulnerability has been resolved:
> 
>   netfilter: nft_set_pipapo: release elements in clone only from destroy path
> 
>   Clone already always provides a current view of the lookup table, use it
>   to destroy the set, otherwise it is possible to destroy elements twice.
> 
>   This fix requires:
> 
>    212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
>   protocol")
> 
>   which came after:
> 
>    9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
>   abort path").
> 
> [Fix]
> 
> Mantic:	Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> 	was already in stable.
> Jammy:	Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use netfilter, specifically pipapo (pile
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
> 
> Florian Westphal (3):
>    netfilter: nft_set_pipapo: store index in scratch maps
>    netfilter: nft_set_pipapo: add helper to release pcpu scratch area
>    netfilter: nft_set_pipapo: remove scratch_aligned pointer
> 
> Pablo Neira Ayuso (1):
>    netfilter: nft_set_pipapo: release elements in clone only from destroy
>      path
> 
>   net/netfilter/nft_set_pipapo.c      | 113 ++++++++++++++--------------
>   net/netfilter/nft_set_pipapo.h      |  18 +++--
>   net/netfilter/nft_set_pipapo_avx2.c |  17 ++---
>   3 files changed, 76 insertions(+), 72 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc