ACK: [SRU][M/F][PATCH v2] CVE-2024-26925

Tim Gardner tim.gardner at canonical.com
Mon Jun 3 18:03:53 UTC 2024 

On 5/29/24 8:56 AM, Bethany Jamison wrote:
> [Impact]
> 
> netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
> 
> The commit mutex should not be released during the critical section
> between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
> worker could collect expired objects and get the released commit lock
> within the same GC sequence.
> 
> nf_tables_module_autoload() temporarily releases the mutex to load
> module dependencies, then it goes back to replay the transaction again.
> Move it at the end of the abort phase after nft_gc_seq_end() is called.
> 
> [Fix]
> 
> Noble:	fixed via stable
> Mantic:	Clean cherry-pick from fix and prereq commit
> Jammy:	fixed via stable
> Focal:	Clean cherry-pick from fix commit with backported prereq commits,
> 	commit a45e688 backported - context conflict due to extra
> 	whitespace in Focal, accepted incoming fix as is,
> 	commit 03c1f1e backported - context conflict with neighboring
> 	line outside of the modified if-statement, shouldn't affect the
> 	fix, applied fix changes as is
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty: not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the Netfilter framework, an issue with
> this fix would be visible to the user via decreased system performance
> or a system freeze.
> 
> v2: 	In my original submission the cover-letter subject line mentioned
> 	Mantic/Jammy instead of Mantic/Focal which are the releases getting
> 	patches in this patchset. This has been corrected in this submission.
> 
> Pablo Neira Ayuso (2):
>    netfilter: nf_tables: release batch on table validation from abort
>      path
>    netfilter: nf_tables: release mutex after nft_gc_seq_end from abort
>      path
> 
>   net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++----------
>   1 file changed, 18 insertions(+), 10 deletions(-)
> 
Acked-by: Tim Gardner <tim.gardner at canonical.com>
-- 
-----------
Tim Gardner
Canonical, Inc

More information about the kernel-team mailing list