|
Message-ID: <01094e83c9ef15489c2668dc64a3b23407410919.camel@canonical.com> Date: Fri, 12 Jan 2024 03:53:53 +0300 From: Cengiz Can <cengiz.can@...onical.com> To: oss-security@...ts.openwall.com Subject: CVE-2023-6040: Linux Kernel netfilter out-of-bounds access An out-of-bounds access vulnerability involving netfilter was reported and fixed as: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 While creating a new netfilter table, lack of a safeguard against invalid nf_tables family (pf) values within `nf_tables_newtable` function enables an attacker to achieve out-of-bounds access. This out-of-bounds access can occur in two locations: 1) `xt_find_target` function in `x_tables.c` can dereference the `xt` array without a boundary check. This allows an attacker to fake an `xt_af` data and achieve further ends. 2) `nf_logger_find_get` function in `nf_log.c` uses `pf` as an index on `loggers` global which consists of `struct nf_logger` members. An attacker can find a suitable global data to fake as `struct nf_logger` and use the invalid `pf` to dereference adjacent global data. Disabling unprivileged user namespaces mitigates the issue. This issue was reported to Ubuntu Security directly by Lin Ma from Ant Security Light-Year Lab and has been assigned CVE-2023-6040. It affects upstream stable 5.4.y, 5.10.y, 5.15.y. Those require the fix to be applied. Any upstream kernel newer than 5.18-rc1 should be safe. Cengiz Can
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.