Hi,
On Wed, May 08, 2024 at 12:42:57AM +0800, HexRabbit Chen wrote:
> Hello,
>
> I found a locking issue in nf_tables set element GC implementation and
> exploited it in kernelCTF. The bug breaks the sequence number assumption
> in set asynchronous GC, which can be used to cause double free, and
> leads to local privilege escalation.
>
> Introduced in v6.5:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=720344340fb9
>
> Fixed in v6.9-rc3:
> https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d459e2ffb54
Should be noted that this though has been backported to stable series:
5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.13
but equally the fix in
5.4.274, 5.10.215, 5.15.155, 6.1.86, 6.6.26, 6.8.5.
Regards.
Salvatore