Bug 2065323 (CVE-2022-1015) - CVE-2022-1015 kernel: arbitrary code execution in linux/net/netfilter/nf_tables_api.c
Summary: CVE-2022-1015 kernel: arbitrary code execution in linux/net/netfilter/nf_tabl...
Alias: CVE-2022-1015
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
: 2065321 (view as bug list)
Depends On: 2065350 2065351 2065352 2065353 2065354 2065355 2065356 2065357 2065366 2065367 2065368 2065369 2065370 2065371 2065372 2065373 2065408 2065409 2065410 2065411 2065415 2065416 2065417 2065418 2065419 2065420 2065421 2065423 2065424 2065425 2065426 2069489 2070051 2089911 2089912
Blocks: 2065293 2066791
TreeView+ depends on / blocked
Reported: 2022-03-17 16:48 UTC by Rohit Keshri
Modified: 2023-07-02 11:11 UTC (History)
64 users (show)

Fixed In Version: Kernel 5.16.18
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
Clone Of:
Last Closed: 2022-12-04 02:33:18 UTC

Attachments (Terms of Use)
Test program to show if oob-write via payload expression works or not. (3.63 KB, text/plain)
2022-03-29 13:36 UTC, Florian Westphal
no flags Details

Description Rohit Keshri 2022-03-17 16:48:27 UTC
A vulnerability was found in nft_validate_register_store and nft_validate_register_load in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem in the Linux kernel.

In order for an unprivileged attacker to exploit this issue, unprivileged user- and network namespaces access is required (CLONE_NEWUSER | CLONE_NEWNET). 

The vulnerability gives an attacker a powerful primitive that can be used to both read from and write to relative stack data. This can lead to arbitrary code execution by an attacker

Comment 12 Marian Rehak 2022-03-22 07:55:01 UTC
*** Bug 2065321 has been marked as a duplicate of this bug. ***

Comment 20 Rohit Keshri 2022-03-29 03:20:30 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2069489]

Comment 21 Florian Westphal 2022-03-29 10:21:49 UTC
As far as I can see this issue only affects RHEL9 (9.0, 9.1).  In RHEL8 and RHEL7, the erroneously translated value is truncated to 8 bit value before it is passed to the incorrect validation check.
Because of the truncation, no overflow can happen.

Upstream patch is:
commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851
netfilter: nf_tables: validate registers coming from userspace.
The commit that made the bug usable is
commit 345023b0db315648ccc3c1a36aee88304a8b4d91
netfilter: nftables: add nft_parse_register_store() and use it

... because it removed the 8bit truncation.
This commit was added from 5.12 onwards and was not backported to any RHEL version.

Comment 24 Justin M. Forbes 2022-03-31 21:29:39 UTC
This was fixed for Fedora with the 5.16.18 stable kernel updates.

Comment 38 Product Security DevOps Team 2022-12-04 02:33:13 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.