[SRU Lunar 0/1] CVE-2023-6111
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Fri Jan 5 02:16:06 UTC 2024
Reusing previous submission from Yuxuan Luo.
[Impact]
A use-after-free vulnerability in the Linux kernel's netfilter:
nf_tables component can be exploited to achieve local privilege
escalation. The function nft_trans_gc_catchall did not remove the
catchall set element from the catchall_list when the argument sync is
true, making it possible to free a catchall set element many times.
[Backport]
There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
nf_tables: shrink memory consumption of set elements”). Since its changes
is not relevant to the fix, ignore it and backport the fix commit.
nft_setelem_catchall_remove(): keep the elem->priv line.
nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
`struct nft_elem_priv *elem_priv;` to keep consistent with the argument
type of nft_setelem_data_deactivate(). Modify the
`nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
[Test]
Built tested.
[Potential Regression]
Expect low regression potential that's limited to this specific API.
Pablo Neira Ayuso (1):
netfilter: nf_tables: remove catchall element in GC sync path
net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list