CVE-2023-54243
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
netfilter: ebtables: fix table blob use-after-free
We are not allowed to return an error at this point. Looking at the code it looks like ret is always 0 at this point, but its not.
t = find_table_lock(net, repl->name, &ret, &ebt_mutex);
… this can return a valid table, with ret != 0.
This bug causes update of table->private with the new blob, but then frees the blob right away in the caller.
Syzbot report:
BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74 Workqueue: netns cleanup_net Call Trace: kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613 …
ip(6)tables appears to be ok (ret should be 0 at this point) but make this more obvious.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | c58dd2dd443c26d856a168db108a0cd11c285bf3 < 9060abce3305ab2354c892c09d5689df51486df5 | affected |
| Linux | Linux | c58dd2dd443c26d856a168db108a0cd11c285bf3 < dbb3cbbf03b3c52cb390fabec357f1e4638004f5 | affected |
| Linux | Linux | c58dd2dd443c26d856a168db108a0cd11c285bf3 < 3dd6ac973351308d4117eda32298a9f1d68764fd | affected |
| Linux | Linux | c58dd2dd443c26d856a168db108a0cd11c285bf3 < cda0e0243bd3c04008fcd37a46b0269fb3c49249 | affected |
| Linux | Linux | c58dd2dd443c26d856a168db108a0cd11c285bf3 < e58a171d35e32e6e8c37cfe0e8a94406732a331f | affected |
| Linux | Linux | a3bc0f8ea439762aa62d40a295157410498cbea7 | affected |
| Linux | Linux | 8ed40c122919cd79bc3c059e5864e5e7d9d455f0 | affected |
| Linux | Linux | c5e4ef499cfc78de45a4f01b8c557b5964d77c53 | affected |
| Linux | Linux | f34728610b2a8c7b9864f9404f2884c17f6fca5c | affected |
| Linux | Linux | 8b5740915a9faa8b1fa9166193a33e2a9ae30ec6 | affected |
| Linux | Linux | 3.2.60 < 3.3 | affected |
| Linux | Linux | 3.4.91 < 3.5 | affected |
| Linux | Linux | 3.10.41 < 3.11 | affected |
| Linux | Linux | 3.12.21 < 3.13 | affected |
| Linux | Linux | 3.14.5 < 3.15 | affected |
| Linux | Linux | 3.15 | affected |
| Linux | Linux | 0 < 3.15 | unaffected |
| Linux | Linux | 5.10.173 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.100 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.18 <= 6.1.* | unaffected |
| Linux | Linux | 6.2.5 <= 6.2.* | unaffected |
| Linux | Linux | 6.3 <= * | unaffected |
Weaknesses
References
- https://git.kernel.org/stable/c/9060abce3305ab2354c892c09d5689df51486df5
- https://git.kernel.org/stable/c/dbb3cbbf03b3c52cb390fabec357f1e4638004f5
- https://git.kernel.org/stable/c/3dd6ac973351308d4117eda32298a9f1d68764fd
- https://git.kernel.org/stable/c/cda0e0243bd3c04008fcd37a46b0269fb3c49249
- https://git.kernel.org/stable/c/e58a171d35e32e6e8c37cfe0e8a94406732a331f
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.