2225239 – (CVE-2023-4147) CVE-2023-4147 kernel: netfilter: nf_tables_newrule when adding a rule with NFTA_RULE_CHAIN_ID leads to use-after-free

Bug 2225239 (CVE-2023-4147) - CVE-2023-4147 kernel: netfilter: nf_tables_newrule when adding a rule with NFTA_RULE_CHAIN_ID leads to use-after-free

Summary: CVE-2023-4147 kernel: netfilter: nf_tables_newrule when adding a rule with NF...

Keywords:
Status:	NEW
Alias:	CVE-2023-4147
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2225271 2228989 2228990 2228991 2228992 2228993 2228994 2228995 2225270 2229467
Blocks:	2225238
TreeView+	depends on / blocked

Reported:	2023-07-24 18:01 UTC by Alex
Modified:	2023-08-08 13:14 UTC (History)
CC List:	52 users (show)
Fixed In Version:	Kernel 6.5-rc4
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free flaw was found in the Linux kernel’s Netfilter functionality when adding a rule with NFTA_RULE_CHAIN_ID. This flaw allows a local user to crash or escalate their privileges on the system.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Alex 2023-07-24 18:01:28 UTC

A flaw in the Linux Kernel found. For the netfilter, nf_tables_newrule when adding a rule with NFTA_RULE_CHAIN_ID can lead to use-after-free.

Reference:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0ebc1064e4874d5987722a2ddbc18f94aa53b211

Comment 7 Salvatore Bonaccorso 2023-08-04 04:23:30 UTC

(In reply to Alex from comment #0)
> A flaw in the Linux Kernel found. For the netfilter, nf_tables_newrule when
> adding a rule with NFTA_RULE_CHAIN_ID can lead to use-after-free.
> 
> Reference:
> TODO add link when becomes available

Any more information on that?

Comment 8 Salvatore Bonaccorso 2023-08-04 04:25:28 UTC

From the commit description this is https://git.kernel.org/linus/0ebc1064e4874d5987722a2ddbc18f94aa53b211 which matches as well your "Fixed In Version: Kernel 6.5-rc4" correct?

Comment 9 Alex 2023-08-06 08:44:15 UTC

In reply to comment #8:
> From the commit description this is
> https://git.kernel.org/linus/0ebc1064e4874d5987722a2ddbc18f94aa53b211 which
> matches as well your "Fixed In Version: Kernel 6.5-rc4" correct?

Yes, correct.

Comment 10 Alex 2023-08-06 08:50:14 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2229467]

Comment 11 Justin M. Forbes 2023-08-07 22:17:17 UTC

This was fixed for Fedora with the 6.4.8 stable kernel updates.

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
carnil
chwhite
dbohanno
ddepaula
debarbos
dfreiber
dvlasenk
ezulian
hkrzesin
jarod
jburrell
jdenham
jfaracco
jferlan
jforbes
jlelli
joe.lawrence
jpoimboe
jshortt
jstancek
jwyatt
kcarcia
kernel-mgr
kpatch-maint
ldoskova
lgoncalv
lleshchi
lzampier
nmurray
psutter
ptalbert
qzhao
rhandlin
rogbas
rrobaina
rvrbovsk
rysulliv
scweaver
security-response-team
swood
tglozar
tyberry
vkumar
walters
wcosta
williams
wmealing
ycote
ymankad