cve/published/2024/CVE-2024-27011.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27011: netfilter: nf_tables: fix memleak in map from abort path

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_tables: fix memleak in map from abort path

 The delete set command does not rely on the transaction object for
 element removal, therefore, a combination of delete element + delete set
 from the abort path could result in restoring twice the refcount of the
 mapping.

 Check for inactive element in the next generation for the delete element
 command in the abort path, skip restoring state if next generation bit
 has been already cleared. This is similar to the activate logic using
 the set walk iterator.

 [ 6170.286929] ------------[ cut here ]------------
 [ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
 [ 6170.287071] Modules linked in: [...]
 [ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365
 [ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
 [ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f
 [ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202
 [ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000
 [ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750
 [ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55
 [ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10
 [ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100
 [ 6170.287940] FS:  0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000
 [ 6170.287948] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 [ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0
 [ 6170.287962] Call Trace:
 [ 6170.287967]  <TASK>
 [ 6170.287973]  ? __warn+0x9f/0x1a0
 [ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
 [ 6170.288092]  ? report_bug+0x1b1/0x1e0
 [ 6170.287986]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
 [ 6170.288092]  ? report_bug+0x1b1/0x1e0
 [ 6170.288104]  ? handle_bug+0x3c/0x70
 [ 6170.288112]  ? exc_invalid_op+0x17/0x40
 [ 6170.288120]  ? asm_exc_invalid_op+0x1a/0x20
 [ 6170.288132]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]
 [ 6170.288243]  ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
 [ 6170.288366]  ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]
 [ 6170.288483]  nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]

 The Linux kernel CVE team has assigned CVE-2024-27011 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.12 with commit 591054469b3eef34bc097c30fae8ededddf8d796 and fixed in 6.6.55 with commit a1bd2a38a1c6388fc8556816dc203c3e9dc52237
 	Issue introduced in 4.12 with commit 591054469b3eef34bc097c30fae8ededddf8d796 and fixed in 6.8.8 with commit 49d0e656d19dfb2d4d7c230e4a720d37b3decff6
 	Issue introduced in 4.12 with commit 591054469b3eef34bc097c30fae8ededddf8d796 and fixed in 6.9 with commit 86a1471d7cde792941109b93b558b5dc078b9ee9

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27011
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_tables_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/a1bd2a38a1c6388fc8556816dc203c3e9dc52237
 	https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6
 	https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27011: netfilter: nf_tables: fix memleak in map from abort path

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_tables: fix memleak in map from abort path

	The delete set command does not rely on the transaction object for
	element removal, therefore, a combination of delete element + delete set
	from the abort path could result in restoring twice the refcount of the
	mapping.

	Check for inactive element in the next generation for the delete element
	command in the abort path, skip restoring state if next generation bit
	has been already cleared. This is similar to the activate logic using
	the set walk iterator.

	[ 6170.286929] ------------[ cut here ]------------
	[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
	[ 6170.287071] Modules linked in: [...]
	[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365
	[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
	[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f
	[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202
	[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000
	[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750
	[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55
	[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10
	[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100
	[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000
	[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
	[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0
	[ 6170.287962] Call Trace:
	[ 6170.287967] <TASK>
	[ 6170.287973] ? __warn+0x9f/0x1a0
	[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
	[ 6170.288092] ? report_bug+0x1b1/0x1e0
	[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
	[ 6170.288092] ? report_bug+0x1b1/0x1e0
	[ 6170.288104] ? handle_bug+0x3c/0x70
	[ 6170.288112] ? exc_invalid_op+0x17/0x40
	[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20
	[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]
	[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
	[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]
	[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]

	The Linux kernel CVE team has assigned CVE-2024-27011 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.12 with commit 591054469b3eef34bc097c30fae8ededddf8d796 and fixed in 6.6.55 with commit a1bd2a38a1c6388fc8556816dc203c3e9dc52237
	Issue introduced in 4.12 with commit 591054469b3eef34bc097c30fae8ededddf8d796 and fixed in 6.8.8 with commit 49d0e656d19dfb2d4d7c230e4a720d37b3decff6
	Issue introduced in 4.12 with commit 591054469b3eef34bc097c30fae8ededddf8d796 and fixed in 6.9 with commit 86a1471d7cde792941109b93b558b5dc078b9ee9

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27011
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_tables_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/a1bd2a38a1c6388fc8556816dc203c3e9dc52237
	https://git.kernel.org/stable/c/49d0e656d19dfb2d4d7c230e4a720d37b3decff6
	https://git.kernel.org/stable/c/86a1471d7cde792941109b93b558b5dc078b9ee9