CVE-2023-53635
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: fix wrong ct->timeout value
(struct nf_conn)->timeout is an interval before the conntrack confirmed. After confirmed, it becomes a timestamp.
It is observed that timeout of an unconfirmed conntrack:
- Set by calling ctnetlink_change_timeout(). As a result,
nfct_time_stampwas wrongly added toct->timeouttwice. - Get by calling ctnetlink_dump_timeout(). As a result,
nfct_time_stampwas wrongly subtracted.
Call Trace: <TASK> dump_stack_lvl ctnetlink_dump_timeout __ctnetlink_glue_build ctnetlink_glue_build __nfqnl_enqueue_packet nf_queue nf_hook_slow ip_mc_output ? __pfx_ip_finish_output ip_send_skb ? __pfx_dst_output udp_send_skb udp_sendmsg ? __pfx_ip_generic_getfrag sock_sendmsg
Separate the 2 cases in:
- Setting
ct->timeoutin __nf_ct_set_timeout(). - Getting
ct->timeoutin ctnetlink_dump_timeout().
Pablo appends:
Update ctnetlink to set up the timeout after the IPS_CONFIRMED flag is set on, otherwise conntrack creation via ctnetlink breaks.
Note that the problem described in this patch occurs since the introduction of the nfnetlink_queue conntrack support, select a sufficiently old Fixes: tag for -stable kernel to pick up this fix.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | a4b4766c3cebb4018167e06b863d8e95b7274757 < 80c5ba0078e20d926d11d0778f9a43902664ebf0 | affected |
| Linux | Linux | a4b4766c3cebb4018167e06b863d8e95b7274757 < ff5e4ac8dd7be7f1faba955c5779a68571eeb0f8 | affected |
| Linux | Linux | a4b4766c3cebb4018167e06b863d8e95b7274757 < f612ae1ab4793701caf39386fb3b7f4b3ef44e48 | affected |
| Linux | Linux | a4b4766c3cebb4018167e06b863d8e95b7274757 < 73db1b8f2bb6725b7391e85aab41fdf592b3c0c1 | affected |
| Linux | Linux | 4.4 | affected |
| Linux | Linux | 0 < 4.4 | unaffected |
| Linux | Linux | 6.1.28 <= 6.1.* | unaffected |
| Linux | Linux | 6.2.15 <= 6.2.* | unaffected |
| Linux | Linux | 6.3.2 <= 6.3.* | unaffected |
| Linux | Linux | 6.4 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/80c5ba0078e20d926d11d0778f9a43902664ebf0
- https://git.kernel.org/stable/c/ff5e4ac8dd7be7f1faba955c5779a68571eeb0f8
- https://git.kernel.org/stable/c/f612ae1ab4793701caf39386fb3b7f4b3ef44e48
- https://git.kernel.org/stable/c/73db1b8f2bb6725b7391e85aab41fdf592b3c0c1
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.