UNAPPPLIED Re: [SRU][OEM-6.1][PATCH 0/1] CVE-2023-6111

Mon Nov 20 20:38:52 UTC 2023

Sorry for sending the wrong patch, I am submitting a v2 patch now.

On 11/20/23 03:42, Timo Aaltonen wrote:
> Yuxuan Luo kirjoitti 16.11.2023 klo 23.35:
>> [Impact]
>> A use-after-free vulnerability in the Linux kernel's netfilter:
>> nf_tables component can be exploited to achieve local privilege
>> escalation. The function nft_trans_gc_catchall did not remove the
>> catchall set element from the catchall_list when the argument sync is
>> true, making it possible to free a catchall set element many times.
>>
>> [Backport]
>> There is a conflict that requires the commit 0e1ea651c971 (“netfilter:
>> nf_tables: remove catchall element in GC sync path”). Since its changes
>> is not relevant to the fix, ignore it and backport the fix commit.
>>
>> nft_setelem_catchall_remove(): keep the elem->priv line.
>>
>> nft_trans_gc(): add `struct nft_set_elem *elem;` instead of
>> `struct nft_elem_priv *elem_priv;` to keep consistent with the argument
>> type of nft_setelem_data_deactivate(). Modify the
>> `nft_trans_gc_elem_add(gc, elem->priv);` line accordingly.
>>
>> [Test]
>> Boot and smoke tested.
>>
>> [Potential Regression]
>> Expect low regression potential that's limited to this specific API.
>>
>> Pablo Neira Ayuso (1):
>>    netfilter: nf_tables: remove catchall element in GC sync path
>>
>>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>>   1 file changed, 17 insertions(+), 5 deletions(-)
>>
>
> /build/jammy/net/netfilter/nf_tables_api.c: In function 
> 'nft_trans_gc_catchall':
> /build/jammy/net/netfilter/nf_tables_api.c:9301:71: error: passing 
> argument 3 of 'nft_setelem_data_deactivate' from incompatible pointer 
> type [-Werror=incompatible-pointer-types]
>  9301 | nft_setelem_data_deactivate(gc->net, gc->set, elem_priv);
>       |       ^~~~~~~~~
>       |       |
>       |       struct nft_elem_priv *
> /build/jammy/net/netfilter/nf_tables_api.c:6710:55: note: expected 
> 'struct nft_set_elem *' but argument is of type 'struct nft_elem_priv *'
>  6710 |                                  struct nft_set_elem *elem)
>       |                                  ~~~~~~~~~~~~~~~~~~~~~^~~~
>
>
> also, now that I had a closer look at the patch, your note about the 
> prerequisite commit is wrong, sha is probably right but shortlog is 
> the same as for this patch.. I assume you meant "netfilter: nf_tables: 
> shrink memory consumption of set elements"?
>
>