ACK: [SRU][M 0/4, J 0/1] CVE-2024-26809
Tim Gardner
tim.gardner at canonical.com
Mon Apr 22 13:18:48 UTC 2024
On 4/12/24 12:49 PM, Bethany Jamison wrote:
> [Impact]
>
> In the Linux kernel, the following vulnerability has been resolved:
>
> netfilter: nft_set_pipapo: release elements in clone only from destroy path
>
> Clone already always provides a current view of the lookup table, use it
> to destroy the set, otherwise it is possible to destroy elements twice.
>
> This fix requires:
>
> 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit
> protocol")
>
> which came after:
>
> 9827a0e6e23b ("netfilter: nft_set_pipapo: release elements in clone from
> abort path").
>
> [Fix]
>
> Mantic: Fix and prereq commits cherry-picked cleanly. Commit 212ed75dc5fb
> was already in stable.
> Jammy: Clean cherry-pick. Commit 212ed75dc5fb was already in stable.
> Focal: not-affected
> Bionic: not-affected
> Xenial: not-affected
> Trusty: not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use netfilter, specifically pipapo (pile
> packet polices), an issue with this fix would be visable via a
> memory leak or a system crash.
>
> Florian Westphal (3):
> netfilter: nft_set_pipapo: store index in scratch maps
> netfilter: nft_set_pipapo: add helper to release pcpu scratch area
> netfilter: nft_set_pipapo: remove scratch_aligned pointer
>
> Pablo Neira Ayuso (1):
> netfilter: nft_set_pipapo: release elements in clone only from destroy
> path
>
> net/netfilter/nft_set_pipapo.c | 113 ++++++++++++++--------------
> net/netfilter/nft_set_pipapo.h | 18 +++--
> net/netfilter/nft_set_pipapo_avx2.c | 17 ++---
> 3 files changed, 76 insertions(+), 72 deletions(-)
>
Acked-by: Tim Gardner <tim.gardner at canonical.com>
--
-----------
Tim Gardner
Canonical, Inc
More information about the kernel-team
mailing list