CVE-2023-6040: Linux Kernel netfilter out-of-bounds access

[Cengiz Can <cengiz.can () canonical com>]

An out-of-bounds access vulnerability involving netfilter was reported
and fixed as:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2

While creating a new netfilter table, lack of a safeguard against
invalid nf_tables family (pf) values within `nf_tables_newtable`
function enables an attacker to achieve out-of-bounds access.

This out-of-bounds access can occur in two locations:

1) `xt_find_target` function in `x_tables.c` can dereference the `xt`
array without a boundary check. This allows an attacker to fake an
`xt_af` data and achieve further ends.

2) `nf_logger_find_get` function in `nf_log.c` uses `pf` as an index on
`loggers` global which consists of `struct nf_logger` members. An
attacker can find a suitable global data to fake as `struct nf_logger`
and use the invalid `pf` to dereference adjacent global data.

Disabling unprivileged user namespaces mitigates the issue.

This issue was reported to Ubuntu Security directly by Lin Ma from Ant
Security Light-Year Lab and has been assigned CVE-2023-6040.

It affects upstream stable 5.4.y, 5.10.y, 5.15.y. Those require the fix
to be applied. Any upstream kernel newer than 5.18-rc1 should be safe.

Cengiz Can