1221290 – (CVE-2024-26609) VUL-0: REJECTED: CVE-2024-26609: kernel: netfilter: nf_tables: reject QUEUE/DROP verdict parameters

Bug 1221290 (CVE-2024-26609) - VUL-0: REJECTED: CVE-2024-26609: kernel: netfilter: nf_tables: reject QUEUE/DROP verdict parameters

Summary: VUL-0: REJECTED: CVE-2024-26609: kernel: netfilter: nf_tables: reject QUEUE/D...

Status:	RESOLVED INVALID

Alias:	CVE-2024-26609

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/397148/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-12 11:53 UTC by SMASH SMASH
Modified:	2024-05-23 15:56 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-12 11:53:25 UTC

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: reject QUEUE/DROP verdict parameters

This reverts commit e0abdadcc6e1.

core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP
verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar,
or 0.

Due to the reverted commit, its possible to provide a positive
value, e.g. NF_ACCEPT (1), which results in use-after-free.

Its not clear to me why this commit was made.

NF_QUEUE is not used by nftables; "queue" rules in nftables
will result in use of "nft_queue" expression.

If we later need to allow specifiying errno values from userspace
(do not know why), this has to call NF_DROP_GETERR and check that
"err <= 0" holds true.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26609
https://www.cve.org/CVERecord?id=CVE-2024-26609
https://git.kernel.org/stable/c/4e66422f1b56149761dc76030e6345d1cca6f869
https://git.kernel.org/stable/c/55a60251fa50d4e68175e36666b536a602ce4f6c
https://git.kernel.org/stable/c/6653118b176a00915125521c6572ae8e507621db
https://git.kernel.org/stable/c/8365e9d92b85fda975a5ece7a3a139cb964018c8
https://git.kernel.org/stable/c/8e34430e33b8a80bc014f3efe29cac76bc30a4b4
https://git.kernel.org/stable/c/960cf4f812530f01f6acc6878ceaa5404c06af7b
https://git.kernel.org/stable/c/f05a497e7bc8851eeeb3a58da180ba469efebb05
https://git.kernel.org/stable/c/f342de4e2f33e0e39165d8639387aa6c19dff660

Comment 1 Robert Frohl 2024-03-12 14:18:40 UTC

REJECTED:

https://lore.kernel.org/linux-cve-announce/20240312135714.1522772-2-lee@kernel.org/T/#u

Comment 2 Oscar Salvador 2024-04-17 02:49:10 UTC

Rejected. Back to sec-team.

Comment 3 Andrea Mattiazzo 2024-05-23 15:55:42 UTC

All done, closing.