cve/published/2024/CVE-2024-27017.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-27017: netfilter: nft_set_pipapo: walk over current view on netlink dump

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nft_set_pipapo: walk over current view on netlink dump

 The generation mask can be updated while netlink dump is in progress.
 The pipapo set backend walk iterator cannot rely on it to infer what
 view of the datastructure is to be used. Add notation to specify if user
 wants to read/update the set.

 Based on patch from Florian Westphal.

 The Linux kernel CVE team has assigned CVE-2024-27017 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.10.186 with commit 2a90da8e0dd50f42e577988f4219f4f4cd3616b7 and fixed in 5.10.227 with commit ff89db14c63a827066446460e39226c0688ef786
 	Issue introduced in 5.15.119 with commit 45eb6944d0f55102229115de040ef3a48841434a and fixed in 5.15.168 with commit ce9fef54c5ec9912a0c9a47bac3195cc41b14679
 	Issue introduced in 6.1.36 with commit 0d836f917520300a8725a5dbdad4406438d0cead and fixed in 6.1.112 with commit 52735a010f37580b3a569a996f878fdd87425650
 	Issue introduced in 6.4 with commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 and fixed in 6.6.53 with commit f24d8abc2bb8cbf31ec713336e402eafa8f42f60
 	Issue introduced in 6.4 with commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 and fixed in 6.8.8 with commit 721715655c72640567e8742567520c99801148ed
 	Issue introduced in 6.4 with commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 and fixed in 6.9 with commit 29b359cf6d95fd60730533f7f10464e95bd17c73
 	Issue introduced in 6.3.10 with commit f661383b5f1aaac3fe121b91e04332944bc90193

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-27017
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/netfilter/nf_tables.h
 	net/netfilter/nf_tables_api.c
 	net/netfilter/nft_set_pipapo.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/ff89db14c63a827066446460e39226c0688ef786
 	https://git.kernel.org/stable/c/ce9fef54c5ec9912a0c9a47bac3195cc41b14679
 	https://git.kernel.org/stable/c/52735a010f37580b3a569a996f878fdd87425650
 	https://git.kernel.org/stable/c/f24d8abc2bb8cbf31ec713336e402eafa8f42f60
 	https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed
 	https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-27017: netfilter: nft_set_pipapo: walk over current view on netlink dump

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nft_set_pipapo: walk over current view on netlink dump

	The generation mask can be updated while netlink dump is in progress.
	The pipapo set backend walk iterator cannot rely on it to infer what
	view of the datastructure is to be used. Add notation to specify if user
	wants to read/update the set.

	Based on patch from Florian Westphal.

	The Linux kernel CVE team has assigned CVE-2024-27017 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.10.186 with commit 2a90da8e0dd50f42e577988f4219f4f4cd3616b7 and fixed in 5.10.227 with commit ff89db14c63a827066446460e39226c0688ef786
	Issue introduced in 5.15.119 with commit 45eb6944d0f55102229115de040ef3a48841434a and fixed in 5.15.168 with commit ce9fef54c5ec9912a0c9a47bac3195cc41b14679
	Issue introduced in 6.1.36 with commit 0d836f917520300a8725a5dbdad4406438d0cead and fixed in 6.1.112 with commit 52735a010f37580b3a569a996f878fdd87425650
	Issue introduced in 6.4 with commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 and fixed in 6.6.53 with commit f24d8abc2bb8cbf31ec713336e402eafa8f42f60
	Issue introduced in 6.4 with commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 and fixed in 6.8.8 with commit 721715655c72640567e8742567520c99801148ed
	Issue introduced in 6.4 with commit 2b84e215f87443c74ac0aa7f76bb172d43a87033 and fixed in 6.9 with commit 29b359cf6d95fd60730533f7f10464e95bd17c73
	Issue introduced in 6.3.10 with commit f661383b5f1aaac3fe121b91e04332944bc90193

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-27017
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/netfilter/nf_tables.h
	net/netfilter/nf_tables_api.c
	net/netfilter/nft_set_pipapo.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/ff89db14c63a827066446460e39226c0688ef786
	https://git.kernel.org/stable/c/ce9fef54c5ec9912a0c9a47bac3195cc41b14679
	https://git.kernel.org/stable/c/52735a010f37580b3a569a996f878fdd87425650
	https://git.kernel.org/stable/c/f24d8abc2bb8cbf31ec713336e402eafa8f42f60
	https://git.kernel.org/stable/c/721715655c72640567e8742567520c99801148ed
	https://git.kernel.org/stable/c/29b359cf6d95fd60730533f7f10464e95bd17c73