836384 – (CVE-2022-1015) - linux kernel 5.15+ <{5.17.1,5.16.18,5.15.32}: out of bounds access in nf_tables expression evaluation, leads to local privilege escalation

Bug 836384 - (CVE-2022-1015) - linux kernel 5.15+ <{5.17.1,5.16.18,5.15.32}: out of bounds access in nf_tables expression evaluation, leads to local privilege escalation

Summary: (CVE-2022-1015) - linux kernel 5.15+ <{5.17.1,5.16.18,5.15.32}: out of bounds...

Status:	UNCONFIRMED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Kernel (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://seclists.org/oss-sec/2022/q1/205
Whiteboard:
Keywords:

Depends on:	836418 836419 836420
Blocks:
	Show dependency tree

Reported:	2022-03-29 23:09 UTC by CFuga
Modified:	2022-10-15 02:50 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description CFuga 2022-03-29 23:09:53 UTC

CVE-2022-1015 pertains to an out of bounds access in nf_tables expression evaluation due to validation of user register indices. It leads to local privilege escalation, for example by overwriting a stack return address OOB with a crafted nft_expr_payload.

CVE-2022-1015 is exploitable starting from commit 345023b0db3 ("netfilter: nftables: add nft_parse_register_store() and use it"), v5.12 and has been fixed in commit 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.").

The bug has been present since commit 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing"), but to my knowledge has not been exploitable until v5.12.

Fixed in 5.17.1, 5.16.18, 5.15.32.

Reproducible: Always