oss-sec mailing list archives
CVE-2023-6040: Linux Kernel netfilter out-of-bounds access
From: Cengiz Can <cengiz.can () canonical com>
Date: Fri, 12 Jan 2024 03:53:53 +0300
An out-of-bounds access vulnerability involving netfilter was reported and fixed as: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access. This out-of-bounds access can occur in two locations: 1) `xt_find_target` function in `x_tables.c` can dereference the `xt` array without a boundary check. This allows an attacker to fake an `xt_af` data and achieve further ends. 2) `nf_logger_find_get` function in `nf_log.c` uses `pf` as an index on `loggers` global which consists of `struct nf_logger` members. An attacker can find a suitable global data to fake as `struct nf_logger` and use the invalid `pf` to dereference adjacent global data. Disabling unprivileged user namespaces mitigates the issue. This issue was reported to Ubuntu Security directly by Lin Ma from Ant Security Light-Year Lab and has been assigned CVE-2023-6040. It affects upstream stable 5.4.y, 5.10.y, 5.15.y. Those require the fix to be applied. Any upstream kernel newer than 5.18-rc1 should be safe. Cengiz Can
Current thread:
- CVE-2023-6040: Linux Kernel netfilter out-of-bounds access Cengiz Can (Jan 11)