Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 906064 (CVE-2023-32233)

Summary: sys-kernel/gentoo-sources, sys-kernel/gentoo-kernel: Use-after-free in netfilter
Product: Gentoo Security Reporter: Sam James <sam>
Component: KernelAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: dist-kernel, kernel, kfm
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 906162, 906163, 906164, 906165    
Bug Blocks:    

Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-10 11:58:32 UTC
See https://www.openwall.com/lists/oss-security/2023/05/08/4

"""
An issue has been discovered in the Linux kernel that can be abused by
unprivileged local users to escalate privileges.

The issue is about Netfilter nf_tables accepting some invalid updates
to its configuration.

Netfilter nf_tables allows updating its configuration with batch
requests that group multiple basic operations into atomic transactions.
In a specific scenario, an invalid batch request may contain an
operation that implicitly deletes an existing nft anonymous set
followed by another operation that attempts to act on the same nft
anonymous set after it is deleted. In the above scenario, one example
of the former operation is to delete an existing nft rule that uses an
nft anonymous set. And an example of the latter operation is an attempt
to delete an element from that nft anonymous set after the set gets
deleted. Alternatively, the latter operation could even attempt to
explicitly delete that nft anonymous set again. In the discussed
scenario, Netfilter nf_tables fails to reject invalid batch request and
then it corrupts its own internal state when committing the latter
operation.

The issue has been reproduced against multiple Linux kernel releases,
including Linux 6.3.1 (current stable).

We developed an exploit that allows unprivileged local users to start a
root shell by abusing the above issue. That exploit was shared
privately with <security@...nel.org> to assist with fix development.
Somebody from the Linux kernel team then emailed the proposed fix to
<linux-distros@...openwall.org> and that email also included a link to
download our description of exploitation techniques and our exploit
source code.

Therefore, according to the linux-distros list policy, the exploit must
be published within 7 days from this advisory. In order to comply with
that policy, I intend to publish both the description of exploitation
techniques and also the exploit source code on Monday 15th by email to
this list.

The fix is available from mainline kernel git repository:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab

# Discoverers

Patryk Sondej <patryk.sondej@...il.com>
Piotr Krysiuk <piotras@...il.com>

# References

CVE-2023-32233 (reserved via https://cveform.mitre.org/)
"""
Comment 1 Larry the Git Cow gentoo-dev 2023-05-10 18:54:07 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8a0edcdbca4e660ac9eff42326af5832b0f0cd6

commit b8a0edcdbca4e660ac9eff42326af5832b0f0cd6
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:53:39 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:58 +0000

    sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    
    Bug: https://bugs.gentoo.org/906064
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources/gentoo-sources-6.3.1-r1.ebuild  | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6febcb5b9366ea8425956ec72d35073b650f1b13

commit 6febcb5b9366ea8425956ec72d35073b650f1b13
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:53:16 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:58 +0000

    sys-kernel/gentoo-sources: netfltr patch for CVE-2023-32233, BMQ Patch
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    sched/alt: Remove psi support
    
    Bug: https://bugs.gentoo.org/906064
    Bug: https://bugs.gentoo.org/904514
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources/gentoo-sources-6.2.14-r1.ebuild | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6053524af4e316e45c59dc66243f8ce52facaef

commit a6053524af4e316e45c59dc66243f8ce52facaef
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:51:40 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:58 +0000

    sys-kernel/gentoo-sources: netfltr patch for CVE-2023-32233, BMQ Patch
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    sched/alt: Remove psi support
    
    Bug: https://bugs.gentoo.org/906064
    Bug: https://bugs.gentoo.org/904514
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources/gentoo-sources-6.1.27-r1.ebuild | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a928bb70f946a5c42241c132fb296ba3f7922f81

commit a928bb70f946a5c42241c132fb296ba3f7922f81
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:51:11 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:58 +0000

    sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    
    Bug: https://bugs.gentoo.org/906064
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources-5.15.110-r1.ebuild              | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1632708b906428aa9a46a11ce6fc7b1107b389f

commit d1632708b906428aa9a46a11ce6fc7b1107b389f
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:50:15 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:58 +0000

    sys-kernel/gentoo-sources: netfltr patch for CVE-2023-32233, gcc patch
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    gcc-plugins: Reorganize gimple includes for GCC 13
    
    Bug: https://bugs.gentoo.org/906064
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources-5.10.179-r1.ebuild              | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20a0e486482acfac7050dc5973cbf9554dd2edd1

commit 20a0e486482acfac7050dc5973cbf9554dd2edd1
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:49:42 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:57 +0000

    sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    
    Bug: https://bugs.gentoo.org/906064
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources-5.4.242-r1.ebuild               | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf11ff9244ef87ef6176757e4dbd7849f015a7db

commit bf11ff9244ef87ef6176757e4dbd7849f015a7db
Author:     Mike Pagano <mpagano@gentoo.org>
AuthorDate: 2023-05-10 18:48:36 +0000
Commit:     Mike Pagano <mpagano@gentoo.org>
CommitDate: 2023-05-10 18:53:57 +0000

    sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233
    
    netfilter: nf_tables: deactivate anonymous set from preparation phase
    
    Bug: https://bugs.gentoo.org/906064
    
    Signed-off-by: Mike Pagano <mpagano@gentoo.org>

 sys-kernel/gentoo-sources/Manifest                 |  3 +++
 .../gentoo-sources-4.19.282-r1.ebuild              | 28 ++++++++++++++++++++++
 2 files changed, 31 insertions(+)
Comment 2 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-05-25 03:28:16 UTC
Looks like we're all done.