A use-after-free write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces. Reference: https://www.openwall.com/lists/oss-security/2022/05/31/1
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2092531]
Upstream commit to backport: commit 520778042ccca019f3ffa136dd0ca565c486cedd Author: Pablo Neira Ayuso <pablo> Date: Wed May 25 10:36:38 2022 +0200 netfilter: nf_tables: disallow non-stateful expression in sets earlier Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression instantiation"), it is possible to attach stateful expressions to set elements. cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase") introduces conditional destruction on the object to accomodate transaction semantics. nft_expr_init() calls expr->ops->init() first, then check for NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful lookup expressions which points to a set, which might lead to UAF since the set is not properly detached from the set->binding for this case. Anyway, this combination is non-sense from nf_tables perspective. This patch fixes this problem by checking for NFT_STATEFUL_EXPR before expr->ops->init() is called. The reporter provides a KASAN splat and a poc reproducer (similar to those autogenerated by syzbot to report use-after-free errors). It is unknown to me if they are using syzbot or if they use similar automated tool to locate the bug that they are reporting. For the record, this is the KASAN splat. [ 85.431824] ================================================================== [ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 [ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 [ 85.434756] [ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 [ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") Reported-and-tested-by: Aaron Adams <edg-e> Signed-off-by: Pablo Neira Ayuso <pablo>
*** Bug 2093146 has been marked as a duplicate of this bug. ***
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5214 https://access.redhat.com/errata/RHSA-2022:5214
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5216 https://access.redhat.com/errata/RHSA-2022:5216
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5224 https://access.redhat.com/errata/RHSA-2022:5224
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5220 https://access.redhat.com/errata/RHSA-2022:5220
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5232 https://access.redhat.com/errata/RHSA-2022:5232
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5236 https://access.redhat.com/errata/RHSA-2022:5236
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5267 https://access.redhat.com/errata/RHSA-2022:5267
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:5249 https://access.redhat.com/errata/RHSA-2022:5249
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2022:5439 https://access.redhat.com/errata/RHSA-2022:5439
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:5476 https://access.redhat.com/errata/RHSA-2022:5476
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:5636 https://access.redhat.com/errata/RHSA-2022:5636
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5641 https://access.redhat.com/errata/RHSA-2022:5641
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:5648 https://access.redhat.com/errata/RHSA-2022:5648
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Advanced Update Support Via RHSA-2022:5806 https://access.redhat.com/errata/RHSA-2022:5806
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Advanced Update Support Via RHSA-2022:5805 https://access.redhat.com/errata/RHSA-2022:5805
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5834 https://access.redhat.com/errata/RHSA-2022:5834
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Advanced Update Support Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Red Hat Enterprise Linux 7.6 Telco Extended Update Support Via RHSA-2022:5802 https://access.redhat.com/errata/RHSA-2022:5802
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions Via RHSA-2022:5804 https://access.redhat.com/errata/RHSA-2022:5804
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5839 https://access.redhat.com/errata/RHSA-2022:5839
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:5819 https://access.redhat.com/errata/RHSA-2022:5819
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Via RHSA-2022:6075 https://access.redhat.com/errata/RHSA-2022:6075
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.7 Advanced Update Support Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions Red Hat Enterprise Linux 7.7 Telco Extended Update Support Via RHSA-2022:6073 https://access.redhat.com/errata/RHSA-2022:6073
This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-32250