cve/published/2024/CVE-2024-42070.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-42070: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

 register store validation for NFT_DATA_VALUE is conditional, however,
 the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
 only requires a new helper function to infer the register type from the
 set datatype so this conditional check can be removed. Otherwise,
 pointer to chain object can be leaked through the registers.

 The Linux kernel CVE team has assigned CVE-2024-42070 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 4.19.317 with commit 40188a25a9847dbeb7ec67517174a835a677752f
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 5.4.279 with commit 23752737c6a618e994f9a310ec2568881a6b49c4
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 5.10.221 with commit 5d43d789b57943720dca4181a05f6477362b94cf
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 5.15.162 with commit 461302e07f49687ffe7d105fa0a330c07c7646d8
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.1.97 with commit efb27ad05949403848f487823b597ed67060e007
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.6.37 with commit 952bf8df222599baadbd4f838a49c4fef81d2564
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.9.8 with commit 41a6375d48deaf7f730304b5153848bfa1c2980f
 	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.10 with commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-42070
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	include/net/netfilter/nf_tables.h
 	net/netfilter/nf_tables_api.c
 	net/netfilter/nft_lookup.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f
 	https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4
 	https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf
 	https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8
 	https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007
 	https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564
 	https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f
 	https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-42070: netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

	register store validation for NFT_DATA_VALUE is conditional, however,
	the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
	only requires a new helper function to infer the register type from the
	set datatype so this conditional check can be removed. Otherwise,
	pointer to chain object can be leaked through the registers.

	The Linux kernel CVE team has assigned CVE-2024-42070 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 4.19.317 with commit 40188a25a9847dbeb7ec67517174a835a677752f
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 5.4.279 with commit 23752737c6a618e994f9a310ec2568881a6b49c4
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 5.10.221 with commit 5d43d789b57943720dca4181a05f6477362b94cf
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 5.15.162 with commit 461302e07f49687ffe7d105fa0a330c07c7646d8
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.1.97 with commit efb27ad05949403848f487823b597ed67060e007
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.6.37 with commit 952bf8df222599baadbd4f838a49c4fef81d2564
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.9.8 with commit 41a6375d48deaf7f730304b5153848bfa1c2980f
	Issue introduced in 3.13 with commit 96518518cc417bb0a8c80b9fb736202e28acdf96 and fixed in 6.10 with commit 7931d32955e09d0a11b1fe0b6aac1bfa061c005c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-42070
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	include/net/netfilter/nf_tables.h
	net/netfilter/nf_tables_api.c
	net/netfilter/nft_lookup.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/40188a25a9847dbeb7ec67517174a835a677752f
	https://git.kernel.org/stable/c/23752737c6a618e994f9a310ec2568881a6b49c4
	https://git.kernel.org/stable/c/5d43d789b57943720dca4181a05f6477362b94cf
	https://git.kernel.org/stable/c/461302e07f49687ffe7d105fa0a330c07c7646d8
	https://git.kernel.org/stable/c/efb27ad05949403848f487823b597ed67060e007
	https://git.kernel.org/stable/c/952bf8df222599baadbd4f838a49c4fef81d2564
	https://git.kernel.org/stable/c/41a6375d48deaf7f730304b5153848bfa1c2980f
	https://git.kernel.org/stable/c/7931d32955e09d0a11b1fe0b6aac1bfa061c005c