Hi, Pablo, I followed up this CVE for several days but I can't figure
out which commit caused this CVE, It seems the
kernel is affected from 4.0 version according:
https://www.suse.com/security/cve/CVE-2023-32233.html.
So is there any fix patches for the lower versions ?
在 2023/5/11 11:41 PM, Pablo Neira Ayuso 写道:
Hi Greg, Sasha,
This is a backport of c1592a89942e ("netfilter: nf_tables: deactivate anonymous
set from preparation phase") which fixes CVE-2023-32233. This patch requires
dependency fixes which are not currently in the 4.14 branch.
The following list shows the backported patches, I am using original commit IDs
for reference:
1) cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase")
2) f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
3) 7f4dae2d7f03 ("netfilter: nft_hash: fix nft_hash_deactivate")
4) 6a0a8d10a366 ("netfilter: nf_tables: use-after-free in failing rule with bound set")
5) 273fe3f1006e ("netfilter: nf_tables: bogus EBUSY when deleting set after flush")
6) c1592a89942e ("netfilter: nf_tables: deactivate anonymous set from preparation phase")
Please apply to 4.14-stable.
Thanks.
Florian Westphal (1):
netfilter: nf_tables: split set destruction in deactivate and destroy phase
Pablo Neira Ayuso (5):
netfilter: nf_tables: unbind set in rule from commit path
netfilter: nft_hash: fix nft_hash_deactivate
netfilter: nf_tables: use-after-free in failing rule with bound set
netfilter: nf_tables: bogus EBUSY when deleting set after flush
netfilter: nf_tables: deactivate anonymous set from preparation phase
include/net/netfilter/nf_tables.h | 30 ++++++-
net/netfilter/nf_tables_api.c | 139 +++++++++++++++++++++---------
net/netfilter/nft_dynset.c | 22 ++++-
net/netfilter/nft_immediate.c | 6 +-
net/netfilter/nft_lookup.c | 21 ++++-
net/netfilter/nft_objref.c | 21 ++++-
net/netfilter/nft_set_hash.c | 2 +-
7 files changed, 194 insertions(+), 47 deletions(-)
--
Best Regards,
Lu Wei
