ACK: [SRU][N/J/F][PATCH 0/1] CVE-2024-53141
Magali Lemes
magali.lemes at canonical.com
Tue Jan 7 12:40:11 UTC 2025
On 06/01/2025 20:38, Ian Whitfield wrote:
> [Impact]
>
> When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
> the values of ip and ip_to are slightly swapped. Therefore, the range check
> for ip should be done later, but this part is missing and it seems that the
> vulnerability occurs.
>
> So we should add missing range checks and remove unnecessary range checks.
>
> [Backport]
>
> The patch was applied cleanly.
>
> [Fix]
>
> Oracular: fixed via stable updates
> Noble: backport
> Jammy: backport
> Focal: backport
> Bionic: fix sent to ESM ML
> Xenial: fix sent to ESM ML
> Trusty: fix sent to ESM ML
>
> [Test Case]
>
> Compile and boot tested
>
> [Where problems could occur]
>
> This fix affects those who use netfilter's IP set functionality. An
> issue with this fix would be visible to the user as the potential for
> out-of-bounds memory access due to insufficient bounds checking.
>
> Jeongjun Park (1):
> netfilter: ipset: add missing range check in bitmap_ip_uadt
>
> net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
> 1 file changed, 2 insertions(+), 5 deletions(-)
>
Acked-by: Magali Lemes <magali.lemes at canonical.com>
More information about the kernel-team
mailing list