Bug 2092427 (CVE-2022-32250)

Summary: CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, bskeggs, chwhite, crwood, dahernan, ddepaula, dhoward, dvlasenk, fhrbata, hdegoede, hkrzesin, hpa, jarod, jarodwilson, jburrell, jfaracco, jferlan, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jpoimboe, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, kpatch-maint, lgoncalv, linville, lzampier, martin.maurer, masami256, mchehab, mharri, michal.skrivanek, mperina, nmurray, oliver, psutter, ptalbert, qzhao, redhat, rhandlin, rkeshri, rvrbovsk, scweaver, shtiwari, steved, thomas, trathi, vkumar, walters, williams, ycote
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.19 rc1 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-05 17:33:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2092531, 2092981, 2092982, 2092983, 2092984, 2092985, 2092986, 2092987, 2092988, 2092989, 2092990, 2092991, 2092992, 2092993, 2092994, 2092995, 2092996, 2092997, 2092998, 2092999, 2093000, 2093003, 2093004, 2093005, 2093006, 2093008, 2093009, 2093010, 2093170, 2093194, 2093195, 2093805    
Bug Blocks: 2092402, 2092429, 2093147    

Description Marian Rehak 2022-06-01 14:09:31 UTC 
A use-after-free write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces.

Reference:

https://www.openwall.com/lists/oss-security/2022/05/31/1
Comment 1 Rohit Keshri 2022-06-01 18:36:59 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2092531]
Comment 8 Phil Sutter 2022-06-02 18:27:13 UTC 
Upstream commit to backport:

commit 520778042ccca019f3ffa136dd0ca565c486cedd
Author: Pablo Neira Ayuso <pablo>
Date:   Wed May 25 10:36:38 2022 +0200

    netfilter: nf_tables: disallow non-stateful expression in sets earlier
    
    Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
    instantiation"), it is possible to attach stateful expressions to set
    elements.
    
    cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
    and destroy phase") introduces conditional destruction on the object to
    accomodate transaction semantics.
    
    nft_expr_init() calls expr->ops->init() first, then check for
    NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
    lookup expressions which points to a set, which might lead to UAF since
    the set is not properly detached from the set->binding for this case.
    Anyway, this combination is non-sense from nf_tables perspective.
    
    This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
    expr->ops->init() is called.
    
    The reporter provides a KASAN splat and a poc reproducer (similar to
    those autogenerated by syzbot to report use-after-free errors). It is
    unknown to me if they are using syzbot or if they use similar automated
    tool to locate the bug that they are reporting.
    
    For the record, this is the KASAN splat.
    
    [   85.431824] ==================================================================
    [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
    [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
    [   85.434756]
    [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
    [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
    
    Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
    Reported-and-tested-by: Aaron Adams <edg-e>
    Signed-off-by: Pablo Neira Ayuso <pablo>
Comment 15 Rohit Keshri 2022-06-03 07:36:04 UTC 
*** Bug 2093146 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2022-06-28 06:55:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5214 https://access.redhat.com/errata/RHSA-2022:5214
Comment 21 errata-xmlrpc 2022-06-28 07:29:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5216 https://access.redhat.com/errata/RHSA-2022:5216
Comment 22 errata-xmlrpc 2022-06-28 07:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5224 https://access.redhat.com/errata/RHSA-2022:5224
Comment 23 errata-xmlrpc 2022-06-28 07:55:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5220 https://access.redhat.com/errata/RHSA-2022:5220
Comment 24 errata-xmlrpc 2022-06-28 09:46:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5232 https://access.redhat.com/errata/RHSA-2022:5232
Comment 25 errata-xmlrpc 2022-06-28 09:47:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5236 https://access.redhat.com/errata/RHSA-2022:5236
Comment 26 errata-xmlrpc 2022-06-28 10:43:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5267 https://access.redhat.com/errata/RHSA-2022:5267
Comment 27 errata-xmlrpc 2022-06-28 14:59:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5249 https://access.redhat.com/errata/RHSA-2022:5249
Comment 28 errata-xmlrpc 2022-06-30 07:31:57 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:5439 https://access.redhat.com/errata/RHSA-2022:5439
Comment 29 errata-xmlrpc 2022-07-01 00:25:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5476 https://access.redhat.com/errata/RHSA-2022:5476
Comment 32 errata-xmlrpc 2022-07-19 15:28:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5636 https://access.redhat.com/errata/RHSA-2022:5636
Comment 33 errata-xmlrpc 2022-07-19 17:35:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5641 https://access.redhat.com/errata/RHSA-2022:5641
Comment 34 errata-xmlrpc 2022-07-19 19:02:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5648 https://access.redhat.com/errata/RHSA-2022:5648
Comment 35 errata-xmlrpc 2022-07-19 21:06:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626
Comment 36 errata-xmlrpc 2022-07-19 21:07:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633
Comment 37 errata-xmlrpc 2022-08-02 07:13:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:5806 https://access.redhat.com/errata/RHSA-2022:5806
Comment 38 errata-xmlrpc 2022-08-02 08:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:5805 https://access.redhat.com/errata/RHSA-2022:5805
Comment 39 errata-xmlrpc 2022-08-02 08:15:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5834 https://access.redhat.com/errata/RHSA-2022:5834
Comment 40 errata-xmlrpc 2022-08-02 08:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:5802 https://access.redhat.com/errata/RHSA-2022:5802
Comment 41 errata-xmlrpc 2022-08-02 09:01:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:5804 https://access.redhat.com/errata/RHSA-2022:5804
Comment 42 errata-xmlrpc 2022-08-03 12:41:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5839 https://access.redhat.com/errata/RHSA-2022:5839
Comment 43 errata-xmlrpc 2022-08-03 13:02:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5819 https://access.redhat.com/errata/RHSA-2022:5819
Comment 45 errata-xmlrpc 2022-08-16 12:21:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:6075 https://access.redhat.com/errata/RHSA-2022:6075
Comment 46 errata-xmlrpc 2022-08-16 12:22:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:6073 https://access.redhat.com/errata/RHSA-2022:6073
Comment 47 errata-xmlrpc 2022-09-19 11:50:21 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
Comment 51 Product Security DevOps Team 2022-12-05 17:33:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32250