[SRU][N/J/F][PATCH 0/1] CVE-2024-53141
Ian Whitfield
ian.whitfield at canonical.com
Mon Jan 6 23:38:30 UTC 2025
[Impact]
When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.
So we should add missing range checks and remove unnecessary range checks.
[Backport]
The patch was applied cleanly.
[Fix]
Oracular: fixed via stable updates
Noble: backport
Jammy: backport
Focal: backport
Bionic: fix sent to ESM ML
Xenial: fix sent to ESM ML
Trusty: fix sent to ESM ML
[Test Case]
Compile and boot tested
[Where problems could occur]
This fix affects those who use netfilter's IP set functionality. An
issue with this fix would be visible to the user as the potential for
out-of-bounds memory access due to insufficient bounds checking.
Jeongjun Park (1):
netfilter: ipset: add missing range check in bitmap_ip_uadt
net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--
2.43.0
More information about the kernel-team
mailing list