Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <01094e83c9ef15489c2668dc64a3b23407410919.camel@canonical.com>
Date: Fri, 12 Jan 2024 03:53:53 +0300
From: Cengiz Can <cengiz.can@...onical.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-6040: Linux Kernel netfilter out-of-bounds access

An out-of-bounds access vulnerability involving netfilter was reported
and fixed as:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2

While creating a new netfilter table, lack of a safeguard against
invalid nf_tables family (pf) values within `nf_tables_newtable`
function enables an attacker to achieve out-of-bounds access.

This out-of-bounds access can occur in two locations:

1) `xt_find_target` function in `x_tables.c` can dereference the `xt`
array without a boundary check. This allows an attacker to fake an
`xt_af` data and achieve further ends.

2) `nf_logger_find_get` function in `nf_log.c` uses `pf` as an index on
`loggers` global which consists of `struct nf_logger` members. An
attacker can find a suitable global data to fake as `struct nf_logger`
and use the invalid `pf` to dereference adjacent global data.

Disabling unprivileged user namespaces mitigates the issue.

This issue was reported to Ubuntu Security directly by Lin Ma from Ant
Security Light-Year Lab and has been assigned CVE-2023-6040.

It affects upstream stable 5.4.y, 5.10.y, 5.15.y. Those require the fix
to be applied. Any upstream kernel newer than 5.18-rc1 should be safe.

Cengiz Can

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.