[SRU][J][PATCH 0/2] CVE-2024-27017
Bethany Jamison
bethany.jamison at canonical.com
Fri Jun 28 16:07:35 UTC 2024
[Impact]
netfilter: nft_set_pipapo: walk over current view on netlink dump
The generation mask can be updated while netlink dump is in progress.
The pipapo set backend walk iterator cannot rely on it to infer what
view of the datastructure is to be used. Add notation to specify if user
wants to read/update the set.
Based on patch from Florian Westphal.
[Fix]
Noble: pending
Jammy: Clean cherry-pick for prereq commit, Backport fix commit for
context conflict with neighboring function that shouldn't
impact this cve, fix applied as given
Focal: not affected
Bionic: not affected
Xenial: not affected
Trusty: not affected
[Test Case]
Compile and boot tested
[Where problems could occur]
This fix affects those who use the netfilter framework, an issue with
this fix would be visible to the user via unexpected system behavior.
Florian Westphal (1):
netfilter: nft_set_pipapo: constify lookup fn args where possible
Pablo Neira Ayuso (1):
netfilter: nft_set_pipapo: walk over current view on netlink dump
include/net/netfilter/nf_tables.h | 13 +++++++
net/netfilter/nf_tables_api.c | 6 +++
net/netfilter/nft_set_pipapo.c | 23 ++++++-----
net/netfilter/nft_set_pipapo.h | 6 +--
net/netfilter/nft_set_pipapo_avx2.c | 59 +++++++++++++++++------------
5 files changed, 70 insertions(+), 37 deletions(-)
--
2.34.1
More information about the kernel-team
mailing list