In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_queue: fix possible use-after-free
Eric Dumazet says:
The sock_hold() side seems suspect, because there is no guarantee
that sk_refcnt is not already 0.
On failure, we cannot queue the packet and need to indicate an
error. The packet will be dropped by the caller.
v2: split skb prefetch hunk into separate change
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"include/net/netfilter/nf_queue.h",
"net/netfilter/nf_queue.c",
"net/netfilter/nfnetlink_queue.c"
],
"versions": [
{
"version": "271b72c7fa82",
"lessThan": "21b27b2baa27",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "ef97921ccdc2",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "34dc4a6a7f26",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "43c25da41e30",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "4d05239203fa",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "dd648bd1b33a",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "dcc3cb920bf7",
"status": "affected",
"versionType": "git"
},
{
"version": "271b72c7fa82",
"lessThan": "c3873070247d",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"include/net/netfilter/nf_queue.h",
"net/netfilter/nf_queue.c",
"net/netfilter/nfnetlink_queue.c"
],
"versions": [
{
"version": "2.6.29",
"status": "affected"
},
{
"version": "0",
"lessThan": "2.6.29",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.9.305",
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.14.270",
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.233",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.183",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.104",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.27",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.16.13",
"lessThanOrEqual": "5.16.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.17",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/21b27b2baa27423286e9b8d3f0b194d587083d95
git.kernel.org/stable/c/34dc4a6a7f261736ef7183868a5bddad31c7f9e3
git.kernel.org/stable/c/43c25da41e3091b31a906651a43e80a2719aa1ff
git.kernel.org/stable/c/4d05239203fa38ea8a6f31e228460da4cb17a71a
git.kernel.org/stable/c/c3873070247d9e3c7a6b0cf9bf9b45e8018427b1
git.kernel.org/stable/c/dcc3cb920bf7ba66ac5e9272293a9ba5f80917ee
git.kernel.org/stable/c/dd648bd1b33a828f62befa696b206c688da0ec43
git.kernel.org/stable/c/ef97921ccdc243170fcef857ba2a17cf697aece5