Message-ID: <2024022721-CVE-2021-46975-248d@gregkh>
Date: Tue, 27 Feb 2024 19:47:35 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2021-46975: netfilter: conntrack: Make global sysctls readonly in non-init netns

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: Make global sysctls readonly in non-init netns

These sysctls point to global variables:
- NF_SYSCTL_CT_MAX (&nf_conntrack_max)
- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)

Because their data pointers are not updated to point to per-netns
structures, they must be marked read-only in a non-init_net ns.
Otherwise, changes in any net namespace are reflected in (leaked into)
all other net namespaces. This problem has existed since the
introduction of net namespaces.

The current logic marks them read-only only if the net namespace is
owned by an unprivileged user (other than init_user_ns).

Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
unprivileged namespaces") "exposes all sysctls even if the namespace is
unpriviliged." Since we need to mark them readonly in any case, we can
forego the unprivileged user check altogether.

The Linux kernel CVE team has assigned CVE-2021-46975 to this issue.


Affected and fixed versions
===========================

	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.9.269 with commit da50f56e826e
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.14.233 with commit 68122479c128
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 4.19.191 with commit 9b288479f7a9
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.4.120 with commit baea536cf51f
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.10.35 with commit d3598eb3915c
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.11.19 with commit fbf85a34ce17
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.12.2 with commit 671c54ea8c7f
	Issue introduced in 5.7 with commit d0febd81ae77 and fixed in 5.13 with commit 2671fa4dc010

Please see https://www.kernel.org or a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-46975
will be updated if fixes are backported, please check that for the most
up to date information about this issue.


Affected files
==============

The file(s) affected by this issue are:
	net/netfilter/nf_conntrack_standalone.c


Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/da50f56e826e1db141693297afb99370ebc160dd
	https://git.kernel.org/stable/c/68122479c128a929f8f7bdd951cfdc8dd0e75b8f
	https://git.kernel.org/stable/c/9b288479f7a901a14ce703938596438559d7df55
	https://git.kernel.org/stable/c/baea536cf51f8180ab993e374cb134b5edad25e2
	https://git.kernel.org/stable/c/d3598eb3915cc0c0d8cab42f4a6258ff44c4033e
	https://git.kernel.org/stable/c/fbf85a34ce17c4cf0a37ee253f4c582bbfb8231b
	https://git.kernel.org/stable/c/671c54ea8c7ff47bd88444f3fffb65bf9799ce43
	https://git.kernel.org/stable/c/2671fa4dc0109d3fb581bc3078fdf17b5d9080f6

Powered by blists - more mailing lists