APPLIED: [SRU][M/F][PATCH v2] CVE-2024-26925

Stefan Bader stefan.bader at canonical.com
Tue Jun 4 14:06:36 UTC 2024 

On 29.05.24 16:56, Bethany Jamison wrote:
> [Impact]
> 
> netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
> 
> The commit mutex should not be released during the critical section
> between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
> worker could collect expired objects and get the released commit lock
> within the same GC sequence.
> 
> nf_tables_module_autoload() temporarily releases the mutex to load
> module dependencies, then it goes back to replay the transaction again.
> Move it at the end of the abort phase after nft_gc_seq_end() is called.
> 
> [Fix]
> 
> Noble:	fixed via stable
> Mantic:	Clean cherry-pick from fix and prereq commit
> Jammy:	fixed via stable
> Focal:	Clean cherry-pick from fix commit with backported prereq commits,
> 	commit a45e688 backported - context conflict due to extra
> 	whitespace in Focal, accepted incoming fix as is,
> 	commit 03c1f1e backported - context conflict with neighboring
> 	line outside of the modified if-statement, shouldn't affect the
> 	fix, applied fix changes as is
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty: not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the Netfilter framework, an issue with
> this fix would be visible to the user via decreased system performance
> or a system freeze.
> 
> v2: 	In my original submission the cover-letter subject line mentioned
> 	Mantic/Jammy instead of Mantic/Focal which are the releases getting
> 	patches in this patchset. This has been corrected in this submission.
> 
> Pablo Neira Ayuso (2):
>    netfilter: nf_tables: release batch on table validation from abort
>      path
>    netfilter: nf_tables: release mutex after nft_gc_seq_end from abort
>      path
> 
>   net/netfilter/nf_tables_api.c | 28 ++++++++++++++++++----------
>   1 file changed, 18 insertions(+), 10 deletions(-)
> 

Applied to mantic,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240604/2f253c0d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240604/2f253c0d/attachment-0001.sig>

More information about the kernel-team mailing list