oss-sec mailing list archives

Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function

From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 8 May 2024 15:22:57 +0200

Hi,

On Wed, May 08, 2024 at 12:42:57AM +0800, HexRabbit Chen wrote:

Hello,

I found a locking issue in nf_tables set element GC implementation and
exploited it in kernelCTF. The bug breaks the sequence number assumption
in set asynchronous GC, which can be used to cause double free, and
leads to local privilege escalation.

Introduced in v6.5:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=720344340fb9

Fixed in v6.9-rc3:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d459e2ffb54


Should be noted that this though has been backported to stable series:

5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.13

but equally the fix in

5.4.274, 5.10.215, 5.15.155, 6.1.86, 6.6.26, 6.8.5.

Regards.
Salvatore

Current thread:

CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function HexRabbit Chen (May 07)
- Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Salvatore Bonaccorso (May 08)