Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function

                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Salvatore Bonaccorso &lt;carnil () debian org&gt;

Date: Wed, 8 May 2024 15:22:57 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,

On Wed, May 08, 2024 at 12:42:57AM +0800, HexRabbit Chen wrote:
Hello,

I found a locking issue in nf_tables set element GC implementation and
exploited it in kernelCTF. The bug breaks the sequence number assumption
in set asynchronous GC, which can be used to cause double free, and
leads to local privilege escalation.

Introduced in v6.5:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=720344340fb9

Fixed in v6.9-rc3:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d459e2ffb54

Should be noted that this though has been backported to stable series:

5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.13

but equally the fix in

5.4.274, 5.10.215, 5.15.155, 6.1.86, 6.6.26, 6.8.5.

Regards.
Salvatore

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function HexRabbit Chen (May 07)

Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Salvatore Bonaccorso (May 08)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->