oss-sec mailing list archives
Re: Linux Kernel use-after-free write in netfilter
From: Solar Designer <solar () openwall com>
Date: Sat, 4 Jun 2022 22:03:32 +0200
On Fri, Jun 03, 2022 at 08:31:41AM +0200, Salvatore Bonaccorso wrote:
On Tue, May 31, 2022 at 10:00:32AM +0100, EDG EDG wrote:A use-after-free write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces. This issue has been fixed within the following commit: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/net/netfilter?id=520778042ccca019f3ffa136dd0ca565c486cedd The issue was previously confirmed on the latest linux master (commit 143a6252e1b8ab424b4b293512a97cca7295c182) and we have confirmed it can be exploited for privilege escalation on Ubuntu 22.04 (Linux kernel 5.15.0-27-generic).
FTR, this was assigned CVE-2022-1966 by Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=2092427 . There is though as well now https://www.cve.org/CVERecord?id=CVE-2022-32250 . I have asked MITRE to possibly reject the later one.
Also, as Linus added to the private thread, the fix commit is now in: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=520778042ccc
Just a note to say for anybody tracking the progress of this that the fix is in my tree now as commit 520778042ccc ("netfilter: nf_tables: disallow non-stateful expression in sets earlier") Linus
Alexander
Current thread:
- Linux Kernel use-after-free write in netfilter EDG EDG (May 31)
- Re: Linux Kernel use-after-free write in netfilter Salvatore Bonaccorso (Jun 02)
- Re: Linux Kernel use-after-free write in netfilter Solar Designer (Jun 04)
- Re: Linux Kernel use-after-free write in netfilter Moritz Mühlenhoff (Jun 20)
- Re: Linux Kernel use-after-free write in netfilter Salvatore Bonaccorso (Jun 02)