From: Sasha Levin <sashal@kernel.org>
To: Siddh Raman Pant <siddh.raman.pant@oracle.com>
Cc: "stable@vger.kernel.org" <stable@vger.kernel.org>,
"pablo@netfilter.org" <pablo@netfilter.org>,
"gregkh@linuxfoundation.org" <gregkh@linuxfoundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: CVE-2024-39503: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
Date: Wed, 7 Aug 2024 09:27:48 -0400 [thread overview]
Message-ID: <ZrN2VCc9hM_mahCS@sashalap> (raw)
In-Reply-To: <c44971f608d7d1d2733757112ef6fca87b004d17.camel@oracle.com>
On Wed, Aug 07, 2024 at 06:42:14AM +0000, Siddh Raman Pant wrote:
>On Fri, 12 Jul 2024 14:21:09 +0200, Greg Kroah-Hartman wrote:
>> In the Linux kernel, the following vulnerability has been resolved:
>>
>> netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
>>
>> Lion Ackermann reported that there is a race condition between namespace cleanup
>> in ipset and the garbage collection of the list:set type. The namespace
>> cleanup can destroy the list:set type of sets while the gc of the set type is
>> waiting to run in rcu cleanup. The latter uses data from the destroyed set which
>> thus leads use after free. The patch contains the following parts:
>>
>> - When destroying all sets, first remove the garbage collectors, then wait
>> if needed and then destroy the sets.
>> - Fix the badly ordered "wait then remove gc" for the destroy a single set
>> case.
>> - Fix the missing rcu locking in the list:set type in the userspace test
>> case.
>> - Use proper RCU list handlings in the list:set type.
>>
>> The patch depends on c1193d9bbbd3 (netfilter: ipset: Add list flush to cancel_gc).
>
>This commit does not exist in stable kernels. Please backport it.
>
> netfilter: ipset: Add list flush to cancel_gc
>
> Flushing list in cancel_gc drops references to other lists right away,
> without waiting for RCU to destroy list. Fixes race when referenced
> ipsets can't be destroyed while referring list is scheduled for destroy.
>
>Since this is missing, the CVE fix potentially introduced new races as
>it makes use of RCU.
Indeed, looks like it was missing on older trees. I'll queue it up.
Thanks!
--
Thanks,
Sasha
prev parent reply other threads:[~2024-08-07 13:27 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2024071204-CVE-2024-39503-e604@gregkh>
2024-08-07 6:42 ` CVE-2024-39503: netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type Siddh Raman Pant
2024-08-07 13:27 ` Sasha Levin [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZrN2VCc9hM_mahCS@sashalap \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=siddh.raman.pant@oracle.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).