APPLIED: [SRU][Mantic][Jammy][Focal][PATCH 0/1] CVE-2024-1086

[Stefan Bader]

On 09.02.24 22:11, Bethany Jamison wrote:
> [Impact]
> 
> A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables
> component can be exploited to achieve local privilege escalation.
> The nft_verdict_init() function allows positive values as drop error within
> the hook verdict, and hence the nf_hook_slow() function can cause a double
> free vulnerability when NF_DROP is issued with a drop error which resembles
> NF_ACCEPT.
> 
> [Fix]
> 
> Mantic: Clean cherry-pick.
> Jammy: Mantic patch applied cleanly.
> Focal: Backported - There was a context merge conflict because upstream has
> updated the fallthrough in the switch from implicit to explicit, but the fix
> commit removes the switch entirely. I accepted the incoming changes from the
> fix commit as given.
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Regression Potential]
> 
> Issues could occur when running nft_verdict_init().
> 
> Florian Westphal (1):
>    netfilter: nf_tables: reject QUEUE/DROP verdict parameters
> 
>   net/netfilter/nf_tables_api.c | 16 ++++++----------
>   1 file changed, 6 insertions(+), 10 deletions(-)
> 

Applied to mantic,jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240219/1c4c8af4/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240219/1c4c8af4/attachment-0001.sig>