| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025020502-CVE-2023-52925-0b0e@gregkh> Date: Wed, 5 Feb 2025 10:08:02 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2023-52925: netfilter: nf_tables: don't fail inserts if duplicate has expired Description =========== In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't fail inserts if duplicate has expired nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error. The Linux kernel CVE team has assigned CVE-2023-52925 to this issue. Affected and fixed versions =========================== Issue introduced in 6.4.11 with commit bd156ce9553dcaf2d6ee2c825d1a5a1718e86524 and fixed in 6.4.12 with commit 156369a702c33ad5434a19c3a689bfb836d4e0b8 Issue introduced in 4.19.316 with commit 94313a196b44184b5b52c1876da6a537701b425a Issue introduced in 5.4.262 with commit 1da4874d05da1526b11b82fc7f3c7ac38749ddf8 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2023-52925 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/netfilter/nft_set_pipapo.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/891ca5dfe3b718b441fc786014a7ba8f517da188 https://git.kernel.org/stable/c/af78b0489e8898a8c9449ffc0fdd2e181916f0d4 https://git.kernel.org/stable/c/59ee68c437c562170265194a99698c805a686bb3 https://git.kernel.org/stable/c/156369a702c33ad5434a19c3a689bfb836d4e0b8 https://git.kernel.org/stable/c/7845914f45f066497ac75b30c50dbc735e84e884
Powered by blists - more mailing lists