cve/published/2023/CVE-2023-52923.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2023-52923: netfilter: nf_tables: adapt set backend to use GC transaction API

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_tables: adapt set backend to use GC transaction API

 Use the GC transaction API to replace the old and buggy gc API and the
 busy mark approach.

 No set elements are removed from async garbage collection anymore,
 instead the _DEAD bit is set on so the set element is not visible from
 lookup path anymore. Async GC enqueues transaction work that might be
 aborted and retried later.

 rbtree and pipapo set backends does not set on the _DEAD bit from the
 sync GC path since this runs in control plane path where mutex is held.
 In this case, set elements are deactivated, removed and then released
 via RCU callback, sync GC never fails.

 The Linux kernel CVE team has assigned CVE-2023-52923 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 4.19.316 with commit cb4d00b563675ba8ff6ef94b077f58d816f68ba3
 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 5.4.262 with commit c357648929c8dff891502349769aafb8f0452bc2
 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 5.10.198 with commit 146c76866795553dbc19998f36718d7986ad302b
 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 5.15.134 with commit 479a2cf5259347d6a1f658b0f791d27a34908e91
 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 6.1.56 with commit df650d6a4bf47248261b61ef6b174d7c54034d15
 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 6.4.11 with commit e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681
 	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 6.5 with commit f6c383b8c31a93752a52697f8430a71dcbc46adf

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2023-52923
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_tables_api.c
 	net/netfilter/nft_set_hash.c
 	net/netfilter/nft_set_pipapo.c
 	net/netfilter/nft_set_rbtree.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/cb4d00b563675ba8ff6ef94b077f58d816f68ba3
 	https://git.kernel.org/stable/c/c357648929c8dff891502349769aafb8f0452bc2
 	https://git.kernel.org/stable/c/146c76866795553dbc19998f36718d7986ad302b
 	https://git.kernel.org/stable/c/479a2cf5259347d6a1f658b0f791d27a34908e91
 	https://git.kernel.org/stable/c/df650d6a4bf47248261b61ef6b174d7c54034d15
 	https://git.kernel.org/stable/c/e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681
 	https://git.kernel.org/stable/c/f6c383b8c31a93752a52697f8430a71dcbc46adf
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2023-52923: netfilter: nf_tables: adapt set backend to use GC transaction API

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_tables: adapt set backend to use GC transaction API

	Use the GC transaction API to replace the old and buggy gc API and the
	busy mark approach.

	No set elements are removed from async garbage collection anymore,
	instead the _DEAD bit is set on so the set element is not visible from
	lookup path anymore. Async GC enqueues transaction work that might be
	aborted and retried later.

	rbtree and pipapo set backends does not set on the _DEAD bit from the
	sync GC path since this runs in control plane path where mutex is held.
	In this case, set elements are deactivated, removed and then released
	via RCU callback, sync GC never fails.

	The Linux kernel CVE team has assigned CVE-2023-52923 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 4.19.316 with commit cb4d00b563675ba8ff6ef94b077f58d816f68ba3
	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 5.4.262 with commit c357648929c8dff891502349769aafb8f0452bc2
	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 5.10.198 with commit 146c76866795553dbc19998f36718d7986ad302b
	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 5.15.134 with commit 479a2cf5259347d6a1f658b0f791d27a34908e91
	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 6.1.56 with commit df650d6a4bf47248261b61ef6b174d7c54034d15
	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 6.4.11 with commit e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681
	Issue introduced in 4.1 with commit 9d0982927e79049675cb6c6c04a0ebb3dad5a434 and fixed in 6.5 with commit f6c383b8c31a93752a52697f8430a71dcbc46adf

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2023-52923
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_tables_api.c
	net/netfilter/nft_set_hash.c
	net/netfilter/nft_set_pipapo.c
	net/netfilter/nft_set_rbtree.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/cb4d00b563675ba8ff6ef94b077f58d816f68ba3
	https://git.kernel.org/stable/c/c357648929c8dff891502349769aafb8f0452bc2
	https://git.kernel.org/stable/c/146c76866795553dbc19998f36718d7986ad302b
	https://git.kernel.org/stable/c/479a2cf5259347d6a1f658b0f791d27a34908e91
	https://git.kernel.org/stable/c/df650d6a4bf47248261b61ef6b174d7c54034d15
	https://git.kernel.org/stable/c/e4d71d6a9c7db93f7bf20c3a0f0659d63d7de681
	https://git.kernel.org/stable/c/f6c383b8c31a93752a52697f8430a71dcbc46adf