Bug 2092427 (CVE-2022-32250) - CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can lead to privilege escalation to root
Summary: CVE-2022-32250 kernel: a use-after-free write in the netfilter subsystem can ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32250
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2092531 2092981 2092982 2092983 2092984 2092985 2092986 2092987 2092988 2092989 2092990 2092991 2092992 2092993 2092994 2092995 2092996 2092997 2092998 2092999 2093000 2093003 2093004 2093005 2093006 2093008 2093009 2093010 2093170 2093194 2093195 2093805
Blocks: 2092402 2092429 2093147
TreeView+ depends on / blocked
 
Reported: 2022-06-01 14:09 UTC by Marian Rehak
Modified: 2022-12-05 17:33 UTC (History)
64 users (show)

Fixed In Version: kernel 5.19 rc1
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found in the Linux kernel's Netfilter subsystem in net/netfilter/nf_tables_api.c. This flaw allows a local attacker with user access to cause a privilege escalation issue.
Clone Of:
Environment:
Last Closed: 2022-12-05 17:33:27 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5457 0 None None None 2022-06-30 17:42:37 UTC
Red Hat Product Errata RHBA-2022:5603 0 None None None 2022-07-19 13:33:49 UTC
Red Hat Product Errata RHBA-2022:5744 0 None None None 2022-07-27 17:37:10 UTC
Red Hat Product Errata RHBA-2022:5746 0 None None None 2022-07-28 05:30:17 UTC
Red Hat Product Errata RHBA-2022:5925 0 None None None 2022-08-08 16:24:40 UTC
Red Hat Product Errata RHBA-2022:6189 0 None None None 2022-08-25 13:24:52 UTC
Red Hat Product Errata RHBA-2022:6201 0 None None None 2022-08-29 12:21:50 UTC
Red Hat Product Errata RHSA-2022:5214 0 None None None 2022-06-28 06:55:32 UTC
Red Hat Product Errata RHSA-2022:5216 0 None None None 2022-06-28 07:30:04 UTC
Red Hat Product Errata RHSA-2022:5220 0 None None None 2022-06-28 07:55:37 UTC
Red Hat Product Errata RHSA-2022:5224 0 None None None 2022-06-28 07:54:20 UTC
Red Hat Product Errata RHSA-2022:5232 0 None None None 2022-06-28 09:46:41 UTC
Red Hat Product Errata RHSA-2022:5236 0 None None None 2022-06-28 09:47:26 UTC
Red Hat Product Errata RHSA-2022:5249 0 None None None 2022-06-28 14:59:37 UTC
Red Hat Product Errata RHSA-2022:5267 0 None None None 2022-06-28 10:43:27 UTC
Red Hat Product Errata RHSA-2022:5439 0 None None None 2022-06-30 07:32:03 UTC
Red Hat Product Errata RHSA-2022:5476 0 None None None 2022-07-01 00:25:45 UTC
Red Hat Product Errata RHSA-2022:5626 0 None None None 2022-07-19 21:06:19 UTC
Red Hat Product Errata RHSA-2022:5633 0 None None None 2022-07-19 21:08:01 UTC
Red Hat Product Errata RHSA-2022:5636 0 None None None 2022-07-19 15:28:55 UTC
Red Hat Product Errata RHSA-2022:5641 0 None None None 2022-07-19 17:35:04 UTC
Red Hat Product Errata RHSA-2022:5648 0 None None None 2022-07-19 19:02:12 UTC
Red Hat Product Errata RHSA-2022:5802 0 None None None 2022-08-02 08:58:24 UTC
Red Hat Product Errata RHSA-2022:5804 0 None None None 2022-08-02 09:01:31 UTC
Red Hat Product Errata RHSA-2022:5805 0 None None None 2022-08-02 08:04:36 UTC
Red Hat Product Errata RHSA-2022:5806 0 None None None 2022-08-02 07:13:43 UTC
Red Hat Product Errata RHSA-2022:5819 0 None None None 2022-08-03 13:02:21 UTC
Red Hat Product Errata RHSA-2022:5834 0 None None None 2022-08-02 08:15:53 UTC
Red Hat Product Errata RHSA-2022:5839 0 None None None 2022-08-03 12:41:29 UTC
Red Hat Product Errata RHSA-2022:6073 0 None None None 2022-08-16 12:22:42 UTC
Red Hat Product Errata RHSA-2022:6075 0 None None None 2022-08-16 12:21:10 UTC
Red Hat Product Errata RHSA-2022:6551 0 None None None 2022-09-19 11:50:27 UTC

Description Marian Rehak 2022-06-01 14:09:31 UTC 
A use-after-free write vulnerability was identified within the netfilter subsystem which can be exploited to achieve privilege escalation to root. In order to trigger the issue it requires the ability to create user/net namespaces.

Reference:

https://www.openwall.com/lists/oss-security/2022/05/31/1
Comment 1 Rohit Keshri 2022-06-01 18:36:59 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2092531]
Comment 8 Phil Sutter 2022-06-02 18:27:13 UTC 
Upstream commit to backport:

commit 520778042ccca019f3ffa136dd0ca565c486cedd
Author: Pablo Neira Ayuso <pablo>
Date:   Wed May 25 10:36:38 2022 +0200

    netfilter: nf_tables: disallow non-stateful expression in sets earlier
    
    Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
    instantiation"), it is possible to attach stateful expressions to set
    elements.
    
    cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
    and destroy phase") introduces conditional destruction on the object to
    accomodate transaction semantics.
    
    nft_expr_init() calls expr->ops->init() first, then check for
    NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
    lookup expressions which points to a set, which might lead to UAF since
    the set is not properly detached from the set->binding for this case.
    Anyway, this combination is non-sense from nf_tables perspective.
    
    This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
    expr->ops->init() is called.
    
    The reporter provides a KASAN splat and a poc reproducer (similar to
    those autogenerated by syzbot to report use-after-free errors). It is
    unknown to me if they are using syzbot or if they use similar automated
    tool to locate the bug that they are reporting.
    
    For the record, this is the KASAN splat.
    
    [   85.431824] ==================================================================
    [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
    [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
    [   85.434756]
    [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
    [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
    
    Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
    Reported-and-tested-by: Aaron Adams <edg-e>
    Signed-off-by: Pablo Neira Ayuso <pablo>
Comment 15 Rohit Keshri 2022-06-03 07:36:04 UTC 
*** Bug 2093146 has been marked as a duplicate of this bug. ***
Comment 20 errata-xmlrpc 2022-06-28 06:55:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5214 https://access.redhat.com/errata/RHSA-2022:5214
Comment 21 errata-xmlrpc 2022-06-28 07:29:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5216 https://access.redhat.com/errata/RHSA-2022:5216
Comment 22 errata-xmlrpc 2022-06-28 07:54:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5224 https://access.redhat.com/errata/RHSA-2022:5224
Comment 23 errata-xmlrpc 2022-06-28 07:55:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5220 https://access.redhat.com/errata/RHSA-2022:5220
Comment 24 errata-xmlrpc 2022-06-28 09:46:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5232 https://access.redhat.com/errata/RHSA-2022:5232
Comment 25 errata-xmlrpc 2022-06-28 09:47:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5236 https://access.redhat.com/errata/RHSA-2022:5236
Comment 26 errata-xmlrpc 2022-06-28 10:43:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5267 https://access.redhat.com/errata/RHSA-2022:5267
Comment 27 errata-xmlrpc 2022-06-28 14:59:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:5249 https://access.redhat.com/errata/RHSA-2022:5249
Comment 28 errata-xmlrpc 2022-06-30 07:31:57 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2022:5439 https://access.redhat.com/errata/RHSA-2022:5439
Comment 29 errata-xmlrpc 2022-07-01 00:25:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:5476 https://access.redhat.com/errata/RHSA-2022:5476
Comment 32 errata-xmlrpc 2022-07-19 15:28:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5636 https://access.redhat.com/errata/RHSA-2022:5636
Comment 33 errata-xmlrpc 2022-07-19 17:35:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5641 https://access.redhat.com/errata/RHSA-2022:5641
Comment 34 errata-xmlrpc 2022-07-19 19:02:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:5648 https://access.redhat.com/errata/RHSA-2022:5648
Comment 35 errata-xmlrpc 2022-07-19 21:06:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5626 https://access.redhat.com/errata/RHSA-2022:5626
Comment 36 errata-xmlrpc 2022-07-19 21:07:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:5633 https://access.redhat.com/errata/RHSA-2022:5633
Comment 37 errata-xmlrpc 2022-08-02 07:13:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Advanced Update Support

Via RHSA-2022:5806 https://access.redhat.com/errata/RHSA-2022:5806
Comment 38 errata-xmlrpc 2022-08-02 08:04:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Advanced Update Support

Via RHSA-2022:5805 https://access.redhat.com/errata/RHSA-2022:5805
Comment 39 errata-xmlrpc 2022-08-02 08:15:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5834 https://access.redhat.com/errata/RHSA-2022:5834
Comment 40 errata-xmlrpc 2022-08-02 08:58:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Advanced Update Support
  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.6 Telco Extended Update Support

Via RHSA-2022:5802 https://access.redhat.com/errata/RHSA-2022:5802
Comment 41 errata-xmlrpc 2022-08-02 09:01:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions

Via RHSA-2022:5804 https://access.redhat.com/errata/RHSA-2022:5804
Comment 42 errata-xmlrpc 2022-08-03 12:41:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5839 https://access.redhat.com/errata/RHSA-2022:5839
Comment 43 errata-xmlrpc 2022-08-03 13:02:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:5819 https://access.redhat.com/errata/RHSA-2022:5819
Comment 45 errata-xmlrpc 2022-08-16 12:21:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions

Via RHSA-2022:6075 https://access.redhat.com/errata/RHSA-2022:6075
Comment 46 errata-xmlrpc 2022-08-16 12:22:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.7 Advanced Update Support
  Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions
  Red Hat Enterprise Linux 7.7 Telco Extended Update Support

Via RHSA-2022:6073 https://access.redhat.com/errata/RHSA-2022:6073
Comment 47 errata-xmlrpc 2022-09-19 11:50:21 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
Comment 51 Product Security DevOps Team 2022-12-05 17:33:21 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32250
Note You need to log in before you can comment on or make changes to this bug.