Hi, Pablo, I followed up this CVE for several days but I can't figure out which commit caused this CVE, It seems the
kernel is affected from 4.0 version according: https://www.suse.com/security/cve/CVE-2023-32233.html.
So is there any fix patches for the lower versions ?
在 2023/5/11 11:41 PM, Pablo Neira Ayuso 写道:
Hi Greg, Sasha,
This is a backport of c1592a89942e ("netfilter: nf_tables: deactivate anonymous set from preparation phase") which fixes CVE-2023-32233. This patch requires dependency fixes which are not currently in the 4.14 branch.
The following list shows the backported patches, I am using original commit IDs for reference:
cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase")
f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
7f4dae2d7f03 ("netfilter: nft_hash: fix nft_hash_deactivate")
6a0a8d10a366 ("netfilter: nf_tables: use-after-free in failing rule with bound set")
273fe3f1006e ("netfilter: nf_tables: bogus EBUSY when deleting set after flush")
c1592a89942e ("netfilter: nf_tables: deactivate anonymous set from preparation phase")
Please apply to 4.14-stable.
Thanks.
Florian Westphal (1): netfilter: nf_tables: split set destruction in deactivate and destroy phase
Pablo Neira Ayuso (5): netfilter: nf_tables: unbind set in rule from commit path netfilter: nft_hash: fix nft_hash_deactivate netfilter: nf_tables: use-after-free in failing rule with bound set netfilter: nf_tables: bogus EBUSY when deleting set after flush netfilter: nf_tables: deactivate anonymous set from preparation phase
include/net/netfilter/nf_tables.h | 30 ++++++- net/netfilter/nf_tables_api.c | 139 +++++++++++++++++++++--------- net/netfilter/nft_dynset.c | 22 ++++- net/netfilter/nft_immediate.c | 6 +- net/netfilter/nft_lookup.c | 21 ++++- net/netfilter/nft_objref.c | 21 ++++- net/netfilter/nft_set_hash.c | 2 +- 7 files changed, 194 insertions(+), 47 deletions(-)