cve/published/2023/CVE-2023-52581.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52581: netfilter: nf_tables: fix memleak when more than 255 elements expired

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_tables: fix memleak when more than 255 elements expired

 When more than 255 elements expired we're supposed to switch to a new gc
 container structure.

 This never happens: u8 type will wrap before reaching the boundary
 and nft_trans_gc_space() always returns true.

 This means we recycle the initial gc container structure and
 lose track of the elements that came before.

 While at it, don't deref 'gc' after we've passed it to call_rcu.

 The Linux kernel CVE team has assigned CVE-2023-52581 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.5 with commit 5f68718b34a531a556f2f50300ead2862278da26 and fixed in 6.5.6 with commit 4aea243b6853d06c1d160a9955b759189aa02b14
 	Issue introduced in 6.5 with commit 5f68718b34a531a556f2f50300ead2862278da26 and fixed in 6.6 with commit cf5000a7787cbc10341091d37245a42c119d26c5
 	Issue introduced in 6.4.11 with commit 0624f190b5742a1527cd938295caa8dc5281d4cd

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52581
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/netfilter/nf_tables.h
 	net/netfilter/nf_tables_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/7cf055b43756b10aa2b851c927c940f5ed652125
 	https://git.kernel.org/stable/c/a995a68e8a3b48533e47c856865d109a1f1a9d01
 	https://git.kernel.org/stable/c/09c85f2d21ab6b5acba31a037985b13e8e6565b8
 	https://git.kernel.org/stable/c/ef99506eaf1dc31feff1adfcfd68bc5535a22171
 	https://git.kernel.org/stable/c/7e5d732e6902eb6a37b35480796838a145ae5f07
 	https://git.kernel.org/stable/c/4aea243b6853d06c1d160a9955b759189aa02b14
 	https://git.kernel.org/stable/c/cf5000a7787cbc10341091d37245a42c119d26c5
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52581: netfilter: nf_tables: fix memleak when more than 255 elements expired

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_tables: fix memleak when more than 255 elements expired

	When more than 255 elements expired we're supposed to switch to a new gc
	container structure.

	This never happens: u8 type will wrap before reaching the boundary
	and nft_trans_gc_space() always returns true.

	This means we recycle the initial gc container structure and
	lose track of the elements that came before.

	While at it, don't deref 'gc' after we've passed it to call_rcu.

	The Linux kernel CVE team has assigned CVE-2023-52581 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.5 with commit 5f68718b34a531a556f2f50300ead2862278da26 and fixed in 6.5.6 with commit 4aea243b6853d06c1d160a9955b759189aa02b14
	Issue introduced in 6.5 with commit 5f68718b34a531a556f2f50300ead2862278da26 and fixed in 6.6 with commit cf5000a7787cbc10341091d37245a42c119d26c5
	Issue introduced in 6.4.11 with commit 0624f190b5742a1527cd938295caa8dc5281d4cd

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52581
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/netfilter/nf_tables.h
	net/netfilter/nf_tables_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/7cf055b43756b10aa2b851c927c940f5ed652125
	https://git.kernel.org/stable/c/a995a68e8a3b48533e47c856865d109a1f1a9d01
	https://git.kernel.org/stable/c/09c85f2d21ab6b5acba31a037985b13e8e6565b8
	https://git.kernel.org/stable/c/ef99506eaf1dc31feff1adfcfd68bc5535a22171
	https://git.kernel.org/stable/c/7e5d732e6902eb6a37b35480796838a145ae5f07
	https://git.kernel.org/stable/c/4aea243b6853d06c1d160a9955b759189aa02b14
	https://git.kernel.org/stable/c/cf5000a7787cbc10341091d37245a42c119d26c5