|
Message-ID: <Zjt8sRn2BjTdAt6t@lorien.valinor.li> Date: Wed, 8 May 2024 15:22:57 +0200 From: Salvatore Bonaccorso <carnil@...ian.org> To: oss-security@...ts.openwall.com Subject: Re: CVE-2024-26925: Linux: nf_tables: locking issue in the nf_tables_abort() function Hi, On Wed, May 08, 2024 at 12:42:57AM +0800, HexRabbit Chen wrote: > Hello, > > I found a locking issue in nf_tables set element GC implementation and > exploited it in kernelCTF. The bug breaks the sequence number assumption > in set asynchronous GC, which can be used to cause double free, and > leads to local privilege escalation. > > Introduced in v6.5: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=720344340fb9 > > Fixed in v6.9-rc3: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d459e2ffb54 Should be noted that this though has been backported to stable series: 5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.13 but equally the fix in 5.4.274, 5.10.215, 5.15.155, 6.1.86, 6.6.26, 6.8.5. Regards. Salvatore
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.