2173973 – (CVE-2023-1095) CVE-2023-1095 kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head

Bug 2173973 (CVE-2023-1095) - CVE-2023-1095 kernel: netfilter: NULL pointer dereference in nf_tables due to zeroed list head

Summary: CVE-2023-1095 kernel: netfilter: NULL pointer dereference in nf_tables due to...

Keywords:
Status:	NEW
Alias:	CVE-2023-1095
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat2072549 Red Hat2121393 Red Hat2173999 Red Hat2174000 Red Hat2174001 Red Hat2174002
Blocks:	Embargoed2154244
TreeView+	depends on / blocked

Reported:	2023-02-28 14:55 UTC by Mauro Matteo Cascella
Modified:	2023-04-01 08:44 UTC (History)
CC List:	36 users (show)
Fixed In Version:	kernel 6.0-rc1
Doc Type:	If docs needed, set a value
Doc Text:	A NULL pointer dereference flaw was found in the Linux kernel’s netfilter subsystem. The issue could occur due to an error in nf_tables_updtable while freeing a transaction object not placed on the list head. This flaw allows a local, unprivileged user to crash the system, resulting in a denial of service.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2023-02-28 14:55:06 UTC

In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a NULL pointer dereference.

Upstream patch & commit:
https://lore.kernel.org/netfilter-devel/20220809163402.20227-1-fw@strlen.de/
https://github.com/torvalds/linux/commit/580077855a40741cf511766129702d97ff02f4d9

Comment 4 Mauro Matteo Cascella 2023-02-28 16:36:29 UTC

This issue was fixed upstream in version 6.0. The kernel packages as shipped in Red Hat Enterprise Linux 9 were previously updated to a version that contains the fix via the following errata:

kernel in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:8267

kernel-rt in Red Hat Enterprise Linux 9
https://access.redhat.com/errata/RHSA-2022:7933

Note You need to log in before you can comment on or make changes to this bug.

acaringi
bhu
chwhite
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
fhrbata
hkrzesin
jarod
jburrell
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
lgoncalv
lleshchi
lzampier
nmurray
ptalbert
qzhao
rogbas
rvrbovsk
scweaver
swood
tyberry
vkumar
walters
williams