CVE-2021-46975 Information

Description

In the Linux kernel the following vulnerability has been resolved:

netfilter: conntrack: Make global sysctls readonly in non-init netns

These sysctls point to global variables:

• NF_SYSCTL_CT_MAX (&nf_conntrack_max)
• NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
• NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)

Because their data pointers are not updated to point to per-netns structures they must be marked read-only in a non-init_net ns. Otherwise changes in any net namespace are reflected in (leaked into) all other net namespaces. This problem has existed since the introduction of net namespaces.

The current logic marks them read-only only if the net namespace is owned by an unprivileged user (other than init_user_ns).

Commit d0febd81ae77 ( etfilter: conntrack: re-visit sysctls in unprivileged namespaces) xposes all sysctls even if the namespace is unpriviliged.\ Since we need to mark them readonly in any case we can forego the unprivileged user check altogether.

Reference

https://git.kernel.org/stable/c/da50f56e826e1db141693297afb99370ebc160dd https://git.kernel.org/stable/c/68122479c128a929f8f7bdd951cfdc8dd0e75b8f https://git.kernel.org/stable/c/9b288479f7a901a14ce703938596438559d7df55 https://git.kernel.org/stable/c/baea536cf51f8180ab993e374cb134b5edad25e2 https://git.kernel.org/stable/c/d3598eb3915cc0c0d8cab42f4a6258ff44c4033e https://git.kernel.org/stable/c/fbf85a34ce17c4cf0a37ee253f4c582bbfb8231b https://git.kernel.org/stable/c/671c54ea8c7ff47bd88444f3fffb65bf9799ce43 https://git.kernel.org/stable/c/2671fa4dc0109d3fb581bc3078fdf17b5d9080f6