APPLIED: [SRU Lunar 0/1] CVE-2023-6111
Roxana Nicolescu
roxana.nicolescu at canonical.com
Fri Jan 5 10:52:26 UTC 2024
On 05/01/2024 03:16, Thadeu Lima de Souza Cascardo wrote:
> Reusing previous submission from Yuxuan Luo.
>
> [Impact]
> A use-after-free vulnerability in the Linux kernel's netfilter:
> nf_tables component can be exploited to achieve local privilege
> escalation. The function nft_trans_gc_catchall did not remove the
> catchall set element from the catchall_list when the argument sync is
> true, making it possible to free a catchall set element many times.
>
> [Backport]
> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
> nf_tables: shrink memory consumption of set elements”). Since its changes
> is not relevant to the fix, ignore it and backport the fix commit.
>
> nft_setelem_catchall_remove(): keep the elem->priv line.
>
> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
> type of nft_setelem_data_deactivate(). Modify the
> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
>
> [Test]
> Built tested.
>
> [Potential Regression]
> Expect low regression potential that's limited to this specific API.
>
> Pablo Neira Ayuso (1):
> netfilter: nf_tables: remove catchall element in GC sync path
>
> net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
> 1 file changed, 17 insertions(+), 5 deletions(-)
>
Applied to lunar master-next branch. Thanks!
More information about the kernel-team
mailing list