Bug 2065323 (CVE-2022-1015)

Summary: CVE-2022-1015 kernel: arbitrary code execution in linux/net/netfilter/nf_tables_api.c
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, asavkov, bhu, bskeggs, chwhite, crwood, dbohanno, dhoward, dvlasenk, egarver, fhrbata, fwestpha, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jthierry, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, kyoshida, lgoncalv, linville, lob+redhat, lzampier, masami256, mchehab, michal.skrivanek, mleitner, mperina, mrehak, mvanderw, nmurray, nobody, ptalbert, qzhao, rhandlin, rvrbovsk, scweaver, security-response-team, steved, vkumar, walters, williams, ycote, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 5.16.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 02:33:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2065350, 2065351, 2065352, 2065353, 2065354, 2065355, 2065356, 2065357, 2065366, 2065367, 2065368, 2065369, 2065370, 2065371, 2065372, 2065373, 2065408, 2065409, 2065410, 2065411, 2065415, 2065416, 2065417, 2065418, 2065419, 2065420, 2065421, 2065423, 2065424, 2065425, 2065426, 2069489, 2070051, 2089911, 2089912    
Bug Blocks: 2065293, 2066791    
Attachments:
Description Flags
Test program to show if oob-write via payload expression works or not. none

Description Rohit Keshri 2022-03-17 16:48:27 UTC 
A vulnerability was found in nft_validate_register_store and nft_validate_register_load in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem in the Linux kernel.

In order for an unprivileged attacker to exploit this issue, unprivileged user- and network namespaces access is required (CLONE_NEWUSER | CLONE_NEWNET). 

The vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data. This can lead to arbitrary code execution by an attacker
Comment 12 Marian Rehak 2022-03-22 07:55:01 UTC 
*** Bug 2065321 has been marked as a duplicate of this bug. ***
Comment 20 Rohit Keshri 2022-03-29 03:20:30 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2069489]
Comment 21 Florian Westphal 2022-03-29 10:21:49 UTC 
As far as I can see this issue only affects RHEL9 (9.0, 9.1).  In RHEL8 and RHEL7, the erroneously translated value is truncated to 8 bit value before it is passed to the incorrect validation check.
Because of the truncation, no overflow can happen.

Upstream patch is:
commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851
netfilter: nf_tables: validate registers coming from userspace.
    
The commit that made the bug usable is
commit 345023b0db315648ccc3c1a36aee88304a8b4d91
netfilter: nftables: add nft_parse_register_store() and use it

... because it removed the 8bit truncation.
This commit was added from 5.12 onwards and was not backported to any RHEL version.
Comment 24 Justin M. Forbes 2022-03-31 21:29:39 UTC 
This was fixed for Fedora with the 5.16.18 stable kernel updates.
Comment 38 Product Security DevOps Team 2022-12-04 02:33:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1015