CVE-2022-48935 Information
Description
In the Linux kernel the following vulnerability has been resolved:
netfilter: nf_tables: unregister flowtable hooks on netns exit
Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF.
BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666
CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller 0
Hardware name: Google Google Compute Engine/Google Compute Engine BIOS Google 01/01/2011
Call Trace:
__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks then after RCU grace period it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path) so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Reference
https://git.kernel.org/stable/c/88c795491bf45a8c08a0f94c9ca4f13722e51013 https://git.kernel.org/stable/c/b05a24cc453e3cd51b0c79e3c583b5d495eba1d6 https://git.kernel.org/stable/c/e51f30826bc5384801df98d76109c94953d1df64 https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27 https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
NONE
Base Score
HIGH
Base Severity
5.5
Share on: