[SRU Bionic 0/5] CVE-2023-32233

Stefan Bader stefan.bader at canonical.com
Wed May 17 11:28:27 UTC 2023 

On 17.05.23 13:16, Andrei Gherzan wrote:
> On 23/05/17 09:18AM, Stefan Bader wrote:
>> On 16.05.23 15:53, Thadeu Lima de Souza Cascardo wrote:
>>> [Impact]
>>> On systems where user namespaces can be created by unprivileged users,
>>> which is the default configuration on Ubuntu, unprivileged users can
>>> trigger a use-after-free vulnerability on netfilter. This could be used to
>>> crash the system or elevate privileges.
>>>
>>> [Test case]
>>> A reproducer that causes an oops under slub_debug=FZP was tested and the fix
>>> has been shown to prevent it.
>>>
>>> [Backport]
>>> Picked patches submitted by the maintainer to 4.14 tree.
>>>
>>> [Potential impact]
>>> netfilter users may find regressions when manipulating nftables.
>>>
>>> Florian Westphal (1):
>>>     netfilter: nf_tables: split set destruction in deactivate and destroy
>>>       phase
>>>
>>> Pablo Neira Ayuso (4):
>>>     netfilter: nf_tables: unbind set in rule from commit path
>>>     netfilter: nf_tables: use-after-free in failing rule with bound set
>>>     netfilter: nf_tables: bogus EBUSY when deleting set after flush
>>>     netfilter: nf_tables: deactivate anonymous set from preparation phase
>>>
>>>    include/net/netfilter/nf_tables.h |  30 ++++++-
>>>    net/netfilter/nf_tables_api.c     | 139 +++++++++++++++++++++---------
>>>    net/netfilter/nft_dynset.c        |  22 ++++-
>>>    net/netfilter/nft_immediate.c     |   6 +-
>>>    net/netfilter/nft_lookup.c        |  21 ++++-
>>>    net/netfilter/nft_objref.c        |  21 ++++-
>>>    6 files changed, 193 insertions(+), 46 deletions(-)
>>>
>>
>> All patches seem to miss the cherry pick/backport line. As we probably also
>> should start handling bionic like ESM, maybe this should be re-submitted
>> with fixed provenance to the ESM list. Not NACKing straight to leave the
>> option for alternatives.
> 
> I had the same question for Thadeu, as I needed to understand his cover
> letter details. The idea is that the patches are from a maintainer
> submission against 4.14 that where picked by Thadeu for our 4.15. So
> these are not cherry-picked/backported per se, hence not having the
> specific footer.
> 
> The only change that Thadeu made was to adapt the maintainer's
> "[backport for 4.14 of SHA1]" line to match the autotriage format:
> "[Upstream commit SHA1]".
> 

There would be

(cherry picked from <SHA1> linux-4.14.y)

no?
-- 
- Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230517/d41b87bf/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230517/d41b87bf/attachment-0001.sig>

More information about the kernel-team mailing list