See https://www.openwall.com/lists/oss-security/2023/05/08/4 """ An issue has been discovered in the Linux kernel that can be abused by unprivileged local users to escalate privileges. The issue is about Netfilter nf_tables accepting some invalid updates to its configuration. Netfilter nf_tables allows updating its configuration with batch requests that group multiple basic operations into atomic transactions. In a specific scenario, an invalid batch request may contain an operation that implicitly deletes an existing nft anonymous set followed by another operation that attempts to act on the same nft anonymous set after it is deleted. In the above scenario, one example of the former operation is to delete an existing nft rule that uses an nft anonymous set. And an example of the latter operation is an attempt to delete an element from that nft anonymous set after the set gets deleted. Alternatively, the latter operation could even attempt to explicitly delete that nft anonymous set again. In the discussed scenario, Netfilter nf_tables fails to reject invalid batch request and then it corrupts its own internal state when committing the latter operation. The issue has been reproduced against multiple Linux kernel releases, including Linux 6.3.1 (current stable). We developed an exploit that allows unprivileged local users to start a root shell by abusing the above issue. That exploit was shared privately with <security@...nel.org> to assist with fix development. Somebody from the Linux kernel team then emailed the proposed fix to <linux-distros@...openwall.org> and that email also included a link to download our description of exploitation techniques and our exploit source code. Therefore, according to the linux-distros list policy, the exploit must be published within 7 days from this advisory. In order to comply with that policy, I intend to publish both the description of exploitation techniques and also the exploit source code on Monday 15th by email to this list. The fix is available from mainline kernel git repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/?id=c1592a89942e9678f7d9c8030efa777c0d57edab # Discoverers Patryk Sondej <patryk.sondej@...il.com> Piotr Krysiuk <piotras@...il.com> # References CVE-2023-32233 (reserved via https://cveform.mitre.org/) """
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8a0edcdbca4e660ac9eff42326af5832b0f0cd6 commit b8a0edcdbca4e660ac9eff42326af5832b0f0cd6 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:53:39 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:58 +0000 sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233 netfilter: nf_tables: deactivate anonymous set from preparation phase Bug: https://bugs.gentoo.org/906064 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.3.1-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6febcb5b9366ea8425956ec72d35073b650f1b13 commit 6febcb5b9366ea8425956ec72d35073b650f1b13 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:53:16 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:58 +0000 sys-kernel/gentoo-sources: netfltr patch for CVE-2023-32233, BMQ Patch netfilter: nf_tables: deactivate anonymous set from preparation phase sched/alt: Remove psi support Bug: https://bugs.gentoo.org/906064 Bug: https://bugs.gentoo.org/904514 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.2.14-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a6053524af4e316e45c59dc66243f8ce52facaef commit a6053524af4e316e45c59dc66243f8ce52facaef Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:51:40 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:58 +0000 sys-kernel/gentoo-sources: netfltr patch for CVE-2023-32233, BMQ Patch netfilter: nf_tables: deactivate anonymous set from preparation phase sched/alt: Remove psi support Bug: https://bugs.gentoo.org/906064 Bug: https://bugs.gentoo.org/904514 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources/gentoo-sources-6.1.27-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a928bb70f946a5c42241c132fb296ba3f7922f81 commit a928bb70f946a5c42241c132fb296ba3f7922f81 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:51:11 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:58 +0000 sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233 netfilter: nf_tables: deactivate anonymous set from preparation phase Bug: https://bugs.gentoo.org/906064 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources-5.15.110-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d1632708b906428aa9a46a11ce6fc7b1107b389f commit d1632708b906428aa9a46a11ce6fc7b1107b389f Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:50:15 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:58 +0000 sys-kernel/gentoo-sources: netfltr patch for CVE-2023-32233, gcc patch netfilter: nf_tables: deactivate anonymous set from preparation phase gcc-plugins: Reorganize gimple includes for GCC 13 Bug: https://bugs.gentoo.org/906064 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources-5.10.179-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=20a0e486482acfac7050dc5973cbf9554dd2edd1 commit 20a0e486482acfac7050dc5973cbf9554dd2edd1 Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:49:42 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:57 +0000 sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233 netfilter: nf_tables: deactivate anonymous set from preparation phase Bug: https://bugs.gentoo.org/906064 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources-5.4.242-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bf11ff9244ef87ef6176757e4dbd7849f015a7db commit bf11ff9244ef87ef6176757e4dbd7849f015a7db Author: Mike Pagano <mpagano@gentoo.org> AuthorDate: 2023-05-10 18:48:36 +0000 Commit: Mike Pagano <mpagano@gentoo.org> CommitDate: 2023-05-10 18:53:57 +0000 sys-kernel/gentoo-sources: netfilter patch for CVE-2023-32233 netfilter: nf_tables: deactivate anonymous set from preparation phase Bug: https://bugs.gentoo.org/906064 Signed-off-by: Mike Pagano <mpagano@gentoo.org> sys-kernel/gentoo-sources/Manifest | 3 +++ .../gentoo-sources-4.19.282-r1.ebuild | 28 ++++++++++++++++++++++ 2 files changed, 31 insertions(+)
Looks like we're all done.
