-

CVE-2023-54243

netfilter: ebtables: fix table blob use-after-free

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ebtables: fix table blob use-after-free

We are not allowed to return an error at this point.
Looking at the code it looks like ret is always 0 at this
point, but its not.

t = find_table_lock(net, repl->name, &ret, &ebt_mutex);

... this can return a valid table, with ret != 0.

This bug causes update of table->private with the new
blob, but then frees the blob right away in the caller.

Syzbot report:

BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74
Workqueue: netns cleanup_net
Call Trace:
 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517
 __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168
 ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372
 ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169
 cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613
...

ip(6)tables appears to be ok (ret should be 0 at this point) but make
this more obvious.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerLinux
Produkt Linux
Default Statusunaffected
Version c58dd2dd443c26d856a168db108a0cd11c285bf3
Version < 9060abce3305ab2354c892c09d5689df51486df5
Status affected
Version c58dd2dd443c26d856a168db108a0cd11c285bf3
Version < dbb3cbbf03b3c52cb390fabec357f1e4638004f5
Status affected
Version c58dd2dd443c26d856a168db108a0cd11c285bf3
Version < 3dd6ac973351308d4117eda32298a9f1d68764fd
Status affected
Version c58dd2dd443c26d856a168db108a0cd11c285bf3
Version < cda0e0243bd3c04008fcd37a46b0269fb3c49249
Status affected
Version c58dd2dd443c26d856a168db108a0cd11c285bf3
Version < e58a171d35e32e6e8c37cfe0e8a94406732a331f
Status affected
Version a3bc0f8ea439762aa62d40a295157410498cbea7
Status affected
Version 8ed40c122919cd79bc3c059e5864e5e7d9d455f0
Status affected
Version c5e4ef499cfc78de45a4f01b8c557b5964d77c53
Status affected
Version f34728610b2a8c7b9864f9404f2884c17f6fca5c
Status affected
Version 8b5740915a9faa8b1fa9166193a33e2a9ae30ec6
Status affected
HerstellerLinux
Produkt Linux
Default Statusaffected
Version 3.15
Status affected
Version 0
Version < 3.15
Status unaffected
Version <= 5.10.*
Version 5.10.173
Status unaffected
Version <= 5.15.*
Version 5.15.100
Status unaffected
Version <= 6.1.*
Version 6.1.18
Status unaffected
Version <= 6.2.*
Version 6.2.5
Status unaffected
Version <= *
Version 6.3
Status unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.04% 0.101
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
Es wurden noch keine Informationen zu CWE veröffentlicht.