oss-sec mailing list archives
Re: Linux kernel: CVE-2022-1015,CVE-2022-1016 in nf_tables cause privilege escalation, information leak
From: Solar Designer <solar () openwall com>
Date: Thu, 25 Aug 2022 15:28:56 +0200
On Mon, Mar 28, 2022 at 08:28:21PM +0200, David Bouman wrote:
I'm reporting two linux kernel vulnerabilities in the nf_tables component of the netfilter subsystem that I found. CVE-2022-1015 pertains to an out of bounds access in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload. CVE-2022-1015 is exploitable starting from commit 345023b0db3 ("netfilter: nftables: add nft_parse_register_store() and use it"), v5.12 and has been fixed in commit 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace."). The bug has been present since commit 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing"), but to my knowledge has not been exploitable until v5.12. CVE-2022-1016 pertains to uninitialized stack data in the nft_do_chain routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41 (original merge of nf_tables), v3.13-rc1, and has been fixed in commit 4c905f6740a3 ("netfilter: nf_tables: initialize registers in nft_do_chain()"). I will be releasing a detailed blog post and exploit code for both vulnerabilities in a few days.
Apparently, these were published on April 2, but not yet mentioned on oss-security? https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/ https://github.com/pqlx/CVE-2022-1015 Alexander
Current thread:
- Re: Linux kernel: CVE-2022-1015,CVE-2022-1016 in nf_tables cause privilege escalation, information leak Solar Designer (Aug 25)