| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 17 Apr 2024 17:59:35 +0200 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-26910: netfilter: ipset: fix performance regression in swap operation Description =========== In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix performance regression in swap operation The patch "netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test", commit 28628fa9 fixes a race condition. But the synchronize_rcu() added to the swap function unnecessarily slows it down: it can safely be moved to destroy and use call_rcu() instead. Eric Dumazet pointed out that simply calling the destroy functions as rcu callback does not work: sets with timeout use garbage collectors which need cancelling at destroy which can wait. Therefore the destroy functions are split into two: cancelling garbage collectors safely at executing the command received by netlink and moving the remaining part only into the rcu callback. The Linux kernel CVE team has assigned CVE-2024-26910 to this issue. Affected and fixed versions =========================== Issue introduced in 5.4.264 with commit 427deb5ba566 and fixed in 5.4.269 with commit c7f2733e5011 Issue introduced in 5.10.204 with commit e7152a138a5a and fixed in 5.10.210 with commit a24d5f2ac8ef Issue introduced in 5.15.143 with commit 8bb930c3a1ea and fixed in 5.15.149 with commit c2dc077d8f72 Issue introduced in 6.1.68 with commit 875ee3a09e27 and fixed in 6.1.79 with commit 653bc5e6d999 Issue introduced in 6.6.7 with commit 23c31036f862 and fixed in 6.6.18 with commit b93a6756a01f Issue introduced in 6.7 with commit 28628fa952fe and fixed in 6.7.6 with commit 970709a67696 Issue introduced in 6.7 with commit 28628fa952fe and fixed in 6.8 with commit 97f7cf1cd80e Issue introduced in 4.19.302 with commit a12606e5ad0c Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-26910 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: include/linux/netfilter/ipset/ip_set.h net/netfilter/ipset/ip_set_bitmap_gen.h net/netfilter/ipset/ip_set_core.c net/netfilter/ipset/ip_set_hash_gen.h net/netfilter/ipset/ip_set_list_set.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225 https://git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05 https://git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49 https://git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c https://git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397 https://git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb https://git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001
Powered by blists - more mailing lists