cve/rejected/2021/CVE-2021-46975.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-c298863b1525 Mon Sep 17 00:00:00 2001
 From: gregkh@kernel.org
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-46975: netfilter: conntrack: Make global sysctls readonly in non-init netns

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: conntrack: Make global sysctls readonly in non-init netns

 These sysctls point to global variables:
 - NF_SYSCTL_CT_MAX (&nf_conntrack_max)
 - NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
 - NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)

 Because their data pointers are not updated to point to per-netns
 structures, they must be marked read-only in a non-init_net ns.
 Otherwise, changes in any net namespace are reflected in (leaked into)
 all other net namespaces. This problem has existed since the
 introduction of net namespaces.

 The current logic marks them read-only only if the net namespace is
 owned by an unprivileged user (other than init_user_ns).

 Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
 unprivileged namespaces") "exposes all sysctls even if the namespace is
 unpriviliged." Since we need to mark them readonly in any case, we can
 forego the unprivileged user check altogether.

 The Linux kernel CVE team has assigned CVE-2021-46975 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.9.269 with commit da50f56e826e
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.14.233 with commit 68122479c128
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.19.191 with commit 9b288479f7a9
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.4.120 with commit baea536cf51f
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.10.35 with commit d3598eb3915c
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.11.19 with commit fbf85a34ce17
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.12.2 with commit 671c54ea8c7f
 	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.13 with commit 2671fa4dc010

 Please see https://www.kernel.org or a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-46975
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_conntrack_standalone.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/da50f56e826e1db141693297afb99370ebc160dd
 	https://git.kernel.org/stable/c/68122479c128a929f8f7bdd951cfdc8dd0e75b8f
 	https://git.kernel.org/stable/c/9b288479f7a901a14ce703938596438559d7df55
 	https://git.kernel.org/stable/c/baea536cf51f8180ab993e374cb134b5edad25e2
 	https://git.kernel.org/stable/c/d3598eb3915cc0c0d8cab42f4a6258ff44c4033e
 	https://git.kernel.org/stable/c/fbf85a34ce17c4cf0a37ee253f4c582bbfb8231b
 	https://git.kernel.org/stable/c/671c54ea8c7ff47bd88444f3fffb65bf9799ce43
 	https://git.kernel.org/stable/c/2671fa4dc0109d3fb581bc3078fdf17b5d9080f6
	From bippy-c298863b1525 Mon Sep 17 00:00:00 2001
	From: gregkh@kernel.org
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-46975: netfilter: conntrack: Make global sysctls readonly in non-init netns

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: conntrack: Make global sysctls readonly in non-init netns

	These sysctls point to global variables:
	- NF_SYSCTL_CT_MAX (&nf_conntrack_max)
	- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
	- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)

	Because their data pointers are not updated to point to per-netns
	structures, they must be marked read-only in a non-init_net ns.
	Otherwise, changes in any net namespace are reflected in (leaked into)
	all other net namespaces. This problem has existed since the
	introduction of net namespaces.

	The current logic marks them read-only only if the net namespace is
	owned by an unprivileged user (other than init_user_ns).

	Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
	unprivileged namespaces") "exposes all sysctls even if the namespace is
	unpriviliged." Since we need to mark them readonly in any case, we can
	forego the unprivileged user check altogether.

	The Linux kernel CVE team has assigned CVE-2021-46975 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.9.269 with commit da50f56e826e
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.14.233 with commit 68122479c128
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.19.191 with commit 9b288479f7a9
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.4.120 with commit baea536cf51f
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.10.35 with commit d3598eb3915c
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.11.19 with commit fbf85a34ce17
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.12.2 with commit 671c54ea8c7f
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.13 with commit 2671fa4dc010

	Please see https://www.kernel.org or a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46975
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_conntrack_standalone.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/da50f56e826e1db141693297afb99370ebc160dd
	https://git.kernel.org/stable/c/68122479c128a929f8f7bdd951cfdc8dd0e75b8f
	https://git.kernel.org/stable/c/9b288479f7a901a14ce703938596438559d7df55
	https://git.kernel.org/stable/c/baea536cf51f8180ab993e374cb134b5edad25e2
	https://git.kernel.org/stable/c/d3598eb3915cc0c0d8cab42f4a6258ff44c4033e
	https://git.kernel.org/stable/c/fbf85a34ce17c4cf0a37ee253f4c582bbfb8231b
	https://git.kernel.org/stable/c/671c54ea8c7ff47bd88444f3fffb65bf9799ce43
	https://git.kernel.org/stable/c/2671fa4dc0109d3fb581bc3078fdf17b5d9080f6