A vulnerability was found in nft_validate_register_store and nft_validate_register_load in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem in the Linux kernel. In order for an unprivileged attacker to exploit this issue, unprivileged user- and network namespaces access is required (CLONE_NEWUSER | CLONE_NEWNET). The vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data. This can lead to arbitrary code execution by an attacker
*** Bug 2065321 has been marked as a duplicate of this bug. ***
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2069489]
As far as I can see this issue only affects RHEL9 (9.0, 9.1). In RHEL8 and RHEL7, the erroneously translated value is truncated to 8 bit value before it is passed to the incorrect validation check. Because of the truncation, no overflow can happen. Upstream patch is: commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 netfilter: nf_tables: validate registers coming from userspace. The commit that made the bug usable is commit 345023b0db315648ccc3c1a36aee88304a8b4d91 netfilter: nftables: add nft_parse_register_store() and use it ... because it removed the 8bit truncation. This commit was added from 5.12 onwards and was not backported to any RHEL version.
This was fixed for Fedora with the 5.16.18 stable kernel updates.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1015