[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Linux kernel: CVE-2022-1015,CVE-2022-1016 in nf_tables cause privilege escalation
From:       Solar Designer <solar () openwall ! com>
Date:       2022-08-25 13:28:56
Message-ID: 20220825132856.GA29197 () openwall ! com
[Download RAW message or body]

On Mon, Mar 28, 2022 at 08:28:21PM +0200, David Bouman wrote:
> I'm reporting two linux kernel vulnerabilities in the nf_tables 
> component of the netfilter subsystem that I found.
> 
> CVE-2022-1015 pertains to an out of bounds access in nf_tables 
> expression evaluation due to validation of user register indices. It 
> leads to local privilege escalation, for example by overwriting a stack 
> return address OOB with a crafted nft_expr_payload.
> 
> CVE-2022-1015 is exploitable starting from commit 345023b0db3 
> ("netfilter: nftables: add nft_parse_register_store() and use it"), 
> v5.12 and has been fixed in commit 6e1acfa387b9 ("netfilter: nf_tables: 
> validate registers coming from userspace.").
> 
> The bug has been present since commit 49499c3e6e18 ("netfilter: 
> nf_tables: switch registers to 32 bit addressing"), but to my knowledge 
> has not been exploitable until v5.12.
> 
> CVE-2022-1016 pertains to uninitialized stack data in the nft_do_chain 
> routine. CVE-2022-1016 is exploitable starting from commit 96518518cc41 
> (original merge of nf_tables), v3.13-rc1, and has been fixed in commit 
> 4c905f6740a3 ("netfilter: nf_tables: initialize registers in 
> nft_do_chain()").
> 
> I will be releasing a detailed blog post and exploit code for both 
> vulnerabilities in a few days.

Apparently, these were published on April 2, but not yet mentioned on
oss-security?

https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/
https://github.com/pqlx/CVE-2022-1015

Alexander
[prev in list] [next in list] [prev in thread] [next in thread]