Bugzilla – Bug 1218495
VUL-0: CVE-2024-0193: kernel: netfilter: use-after-free in nft_trans_gc_catchall_sync leads to privilege escalation
Last modified: 2024-06-25 18:04:10 UTC
A use-after-free flaw was found in the netfilter subsystem of the Linux kernel. If the catchall element is garbage-collected when the pipapo set is removed, the element can be deactivated twice. This can cause a use-after-free issue on an NFT_CHAIN object or NFT_OBJECT object, allowing a local unprivileged user to escalate their privileges on the system. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-0193 Patch: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a
Michal, this seems to be in your area.
The commit that introduces the problem is also present on some SLE15-SP4 and SLE15-SP5 codestreams. Aren't them affected? If not, we don't need to create any LP at this point. Michal could you check it? Thanks!
(In reply to Marcos de Souza from comment #3) > The commit that introduces the problem is also present on some SLE15-SP4 and > SLE15-SP5 codestreams. Aren't them affected? If not, we don't need to create > any LP at this point. > > Michal could you check it? Thanks! Ping :)
Yes, offending commit 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") was backported to all 6.4 and 5.14 based branches so that a backport will be needed in SLE15-SP6 and cve/linux-5.14.
(In reply to Michal Kubeček from comment #6) > Yes, offending commit 5f68718b34a5 ("netfilter: nf_tables: GC transaction > API to avoid race with control plane") was backported to all 6.4 and 5.14 > based branches so that a backport will be needed in SLE15-SP6 and > cve/linux-5.14. Correction: 5.14 based branches do not actually need the fix. While it fixes a regression introduced in 6.5-rc7 by commit 5f68718b34a5, this regression was in its part patching pipapo code introduced in 6.4-rc7 by commit 212ed75dc5fb which we did not backport into 5.14 based branches. Therefore only 6.4 based branches need this fix.
(In reply to Michal Kubeček from comment #7) > (In reply to Michal Kubeček from comment #6) > > Yes, offending commit 5f68718b34a5 ("netfilter: nf_tables: GC transaction > > API to avoid race with control plane") was backported to all 6.4 and 5.14 > > based branches so that a backport will be needed in SLE15-SP6 and > > cve/linux-5.14. > > Correction: 5.14 based branches do not actually need the fix. While it fixes > a regression introduced in 6.5-rc7 by commit 5f68718b34a5, this regression > was in its part patching pipapo code introduced in 6.4-rc7 by commit > 212ed75dc5fb which we did not backport into 5.14 based branches. Therefore > only 6.4 based branches need this fix. Thanks for confirming Michal, so we don't need to create a livepatch in this case.
introduced 5f68718b34a5 6.5-rc6 fixed 7315dc1e122c 6.7 Offending commit has been backported also to 5.14 based branches but they are not actually affected as the relevant code path is missing (see comment 8 for details). The fix has been submitted to the only relevant branch: SLE15-SP6 77cf7004de79 Reassigning back to security team.
(In reply to Michal Kubeček from comment #9) > SLE15-SP6 77cf7004de79 Resubmitted, I didn't notice this bug has score sufficient for GA branch: SLE15-SP6-GA e7bf1c3e1b72
All done, closing.