ACK: [SRU][F/J][PATCH v2 0/1] CVE-2024-27397
Thibault Ferrante
thibault.ferrante at canonical.com
Mon Sep 2 14:57:43 UTC 2024
Acked-by: Thibault Ferrante <thibault.ferrante at canonical.com>
On 02-09-2024 16:37, Massimiliano Pellizzer wrote:
> [Impact]
>
> Add a timestamp field at the beginning of the transaction, store it
> in the nftables per-netns area.
>
> Update set backend .insert, .deactivate and sync gc path to use the
> timestamp, this avoids that an element expires while control plane
> transaction is still unfinished.
>
> .lookup and .update, which are used from packet path, still use the
> current time to check if the element has expired. And .get path and dump
> also since this runs lockless under rcu read size lock. Then, there is
> async gc which also needs to check the current time since it runs
> asynchronously from a workqueue.
>
> [Fix]
>
> Noble: Fixed
> Jammy: Cherry picked from linux-5.15.y
> Focal: Backported from linux-5.4.y
> Bionic: Sent to ESM ML
> Xenial: Sent to ESM ML
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The fix for CVE-2024-27397 affects the netfilter subsystem.
> An issue with this fix may lead to kernel crashes, particularly during
> the application or modification of network filtering rules.
> Users may also notice unexpected network behavior.
>
> [Changes between v1 and v2]
> Fixed a typo in the commit description.
>
> Pablo Neira Ayuso (1):
> netfilter: nf_tables: use timestamp to check for set element timeout
>
> include/net/netfilter/nf_tables.h | 21 +++++++++++++++++++--
> net/netfilter/nf_tables_api.c | 1 +
> net/netfilter/nft_set_hash.c | 8 +++++++-
> net/netfilter/nft_set_rbtree.c | 6 ++++--
> 4 files changed, 31 insertions(+), 5 deletions(-)
>
--
--
Thibault
More information about the kernel-team
mailing list