Update on UAF in ip6_do_table on 4.19.X kernel
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Update on UAF in ip6_do_table on 4.19.X kernel
- From: stranche@xxxxxxxxxxxxxx
- Date: Mon, 20 Jan 2020 15:36:46 -0700
- Cc: subashab@xxxxxxxxxxxxxx
- User-agent: Roundcube Webmail/1.3.9
Hi all,
Following up on the thread we submitted earlier here:
https://lore.kernel.org/netfilter-devel/44a69247-87bd-905d-bd1c-e9dcb5027641@xxxxxxxxx/
In short, we've seen that on the 4.19.X kernels, there is a crash in the
Xtables framework where the jumpstack can potentially be used after it
is freed. We've narrowed down the cause of this crash to a single patch:
f31e5f1a891f ("netfilter: unlock xt_table earlier in __do_replace"); if
this patch is reverted, the crash is no longer seen.
It seems that the xt_table lock is needed for get_old_counters() to be
synchronized properly with the rest of the framework.
Thanks,
Sean
[Index of Archives]
[Netfitler Users]
[Berkeley Packet Filter]
[LARTC]
[Bugtraq]
[Yosemite Forum]
