CVE-2022-2586 - Linux kernel nf_tables cross-table reference UAF

[Thadeu Lima de Souza Cascardo <cascardo () canonical com>]

CVE-2022-2586 - Linux kernel nf_tables cross-table reference UAF

It was discovered that a nft object or expression could reference a nft set on
a different nft table, leading to a use-after-free once that table was deleted.

Team Orca of Sea Security (@seasecresponse) working with Trend Micro's Zero Day
Initiative discovered that this vulnerability could be exploited for Local
Privilege Escalation. This has been reported as ZDI-CAN-17470, and assigned
CVE-2022-2586.

This bug was introduced by commit 958bee14d071 ("netfilter: nf_tables: use new
transaction infrastructure to handle sets"), which is present since v3.16-rc1.

Exploiting it requires CAP_NET_ADMIN in any user or network namespace.

A PoC that will trigger KASAN is going to be posted in a week.

Fixes have been sent to netfilter-devel () vger kernel org and are at
https://lore.kernel.org/netfilter-devel/20220809170148.164591-1-cascardo () canonical com/T/#t.