Received: by 2002:ab2:6991:0:b0:1f7:f6c3:9cb1 with SMTP id v17csp494309lqo; Wed, 8 May 2024 06:23:29 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUDm9pptYJOc2BF3pNYmvmuBJgAhcfg+YBYY1NaKn8If3X6SL1A0FqkIJWEx21z4tjaOim69S/Wj2riMFlsK6pHNb3jvAq7dJtcMxvilA== X-Google-Smtp-Source: AGHT+IEIwkUh32SaEmtY44kMOMYfer1cEVkBpCfjxkLgDDgLHm9QNWisw1ITcMDJlzfYRciAKXlX X-Received: by 2002:a05:6870:37d4:b0:229:e422:4ff9 with SMTP id 586e51a60fabf-2409809af27mr2005759fac.18.1715174609072; Wed, 08 May 2024 06:23:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1715174609; cv=none; d=google.com; s=arc-20160816; b=eTVaAtMPLodTgwMQ00IKTXvRlncg8uFjXGwUuIk7jD152kF0zsVvvyjisAr7oo2M6X WN5CGMFcY4hvo8Mnp4tx0S2I8p9ovF+7PkXRLyUneTrbU6x+9neYxFKB8OJr9GyUQGt0 UZi5CetSyZakwkSQKtyjbOfIaIxOaK8rJai5QQ2cW3JJakAB99e7uOT+nnfhNj4RmuuJ P44Mtmro8rTrapvHop4xvMRabYYWsNlwJwdzNllgzRpokfduoLJquC8+sfr3mqKg94Fy PGsPpAjdOoJqDE5xJw7bPvwuix5qoA7iQCCSAEMJlwCHjp6NuP+34jRnCSAl38lq2KAR M7MA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:in-reply-to:content-disposition:mime-version:references :message-id:to:from:date:sender:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=mlEPhm+v30M7ZYLprypquS5OFpxwZC7+lb0oXGqAQYs=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=sWeMS9hZz635keaS3WUYdbxYdr4mViHbwg9uJQmVRTO6mnIogKCTlJRbIS3GNf0N11 u2hw7vrjI7rOq2nBe9Dj0D2efuTde4RQtqxvzqed9M/LNJx4u8T2obs5MCrkuyRNaojS sbUk1nAt6jrzdSEqZswRLfdPfsb3ExLPGkQTYJIQVp/gMh65CfclVEkDYC5ZP+pUPttb X82C+mvnE0Q1LUmO/uCgg3rEAUcHm64Mv3ThQDzNnq8pJHkd7ImuspOgQskV5yl6B3u5 Gw0xbLltZOc3fcK/ncxlylMCZaPUVzG/1F8kG4bd5o+DvlsMvGJszU2Ua4f8054iZvW9 24WQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=eeKzmHYC; spf=pass (google.com: domain of oss-security-return-30133-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30133-linux.lists.archive=gmail.com@lists.openwall.com" Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id dp9-20020a05622a47c900b0043af86ddc03si12925184qtb.800.2024.05.08.06.23.28 for ; Wed, 08 May 2024 06:23:29 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30133-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20230601 header.b=eeKzmHYC; spf=pass (google.com: domain of oss-security-return-30133-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30133-linux.lists.archive=gmail.com@lists.openwall.com" Received: (qmail 24056 invoked by uid 550); 8 May 2024 13:23:08 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 24032 invoked from network); 8 May 2024 13:23:08 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715174579; x=1715779379; darn=lists.openwall.com; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:sender:from:to:cc:subject:date:message-id :reply-to; bh=mlEPhm+v30M7ZYLprypquS5OFpxwZC7+lb0oXGqAQYs=; b=eeKzmHYCTj1J9WeNJ38XVJW68//neWwB8F8JnIJDu+z8aj9OiPbVzMDZPtHXjlsIHV nEcxqud6deEcZDIIlEuY0RdIPPgBVBVrJySphXDkcTvlOcOiCxq++bH7hDVjABumn8Rp h3mKnGU/7XsjnwPQUjiPWKoJTEQdK5uCHOn3s2q5sjJpm0kyPWBrQqepMDjC8xflhcjp Q3AOU9LoDB4IMijJfU8y+Hwkv+zI791p1pz6oDD9V4ManLWC++lgpFKeEQFMltGPxBVT tBRCjqGxtdz9a1R4efdF5em9C5RPhMlt7DgEnkrONQ+yrEVWQsYPYU5R7sUsLymG/Q+Q MmKQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715174579; x=1715779379; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:to:from:date:sender:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=mlEPhm+v30M7ZYLprypquS5OFpxwZC7+lb0oXGqAQYs=; b=MaGxvon0pc8xx81jZ5q6MiYFnkZzt6push0M+QbzpIsixLeirQ60u8FPzPtlbsEA5d uwOtFlKx3DqwWGF3sKY/+sj8CibL/XqZXi3+zjI19OrW2K9WFqVg/J6A8SlUtFZdObDn zUoQLPDmnOyuNx/MFohGKhcVObL5mSF406c8k+I6MjCp7BaK3l+nsLzSf0UgW90iQFww dGr9O+HVa2O4TRolKZJrC8xbRTf3QpBwuujF87MQvFWVfe8rGMf3XZ/51HvV5xW5g8gw MGSxXQcakPLLN4o0LLP2khkHvbaaYKvMSagUolmcO+H0ScoPN7HcPBJa50ZIF+u8S1rS /VBA== X-Gm-Message-State: AOJu0Yy7Vxl0Et1QZNEwVa9HynbIptFKHCqRcH4p3pgtDWb0nL25x2M7 JLe+6J9KSKUkIf/Yg8vyzuJOLD4MbgDSwS7UjdELjnyyPwL1+0Yb2MAFjypD X-Received: by 2002:a2e:99c5:0:b0:2e0:5b76:9acd with SMTP id 38308e7fff4ca-2e447086a82mr15151721fa.27.1715174578766; Wed, 08 May 2024 06:22:58 -0700 (PDT) Sender: Salvatore Bonaccorso Date: Wed, 8 May 2024 15:22:57 +0200 From: Salvatore Bonaccorso To: oss-security@lists.openwall.com Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [oss-security] CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Hi, On Wed, May 08, 2024 at 12:42:57AM +0800, HexRabbit Chen wrote: > Hello, > > I found a locking issue in nf_tables set element GC implementation and > exploited it in kernelCTF. The bug breaks the sequence number assumption > in set asynchronous GC, which can be used to cause double free, and > leads to local privilege escalation. > > Introduced in v6.5: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=720344340fb9 > > Fixed in v6.9-rc3: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d459e2ffb54 Should be noted that this though has been backported to stable series: 5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.13 but equally the fix in 5.4.274, 5.10.215, 5.15.155, 6.1.86, 6.6.26, 6.8.5. Regards. Salvatore