CVE-2023-53635

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: conntrack: fix wrong ct-&gt;timeout value<br /> <br /> (struct nf_conn)-&gt;timeout is an interval before the conntrack<br /> confirmed. After confirmed, it becomes a timestamp.<br /> <br /> It is observed that timeout of an unconfirmed conntrack:<br /> - Set by calling ctnetlink_change_timeout(). As a result,<br /> `nfct_time_stamp` was wrongly added to `ct-&gt;timeout` twice.<br /> - Get by calling ctnetlink_dump_timeout(). As a result,<br /> `nfct_time_stamp` was wrongly subtracted.<br /> <br /> Call Trace:<br /> <br /> dump_stack_lvl<br /> ctnetlink_dump_timeout<br /> __ctnetlink_glue_build<br /> ctnetlink_glue_build<br /> __nfqnl_enqueue_packet<br /> nf_queue<br /> nf_hook_slow<br /> ip_mc_output<br /> ? __pfx_ip_finish_output<br /> ip_send_skb<br /> ? __pfx_dst_output<br /> udp_send_skb<br /> udp_sendmsg<br /> ? __pfx_ip_generic_getfrag<br /> sock_sendmsg<br /> <br /> Separate the 2 cases in:<br /> - Setting `ct-&gt;timeout` in __nf_ct_set_timeout().<br /> - Getting `ct-&gt;timeout` in ctnetlink_dump_timeout().<br /> <br /> Pablo appends:<br /> <br /> Update ctnetlink to set up the timeout _after_ the IPS_CONFIRMED flag is<br /> set on, otherwise conntrack creation via ctnetlink breaks.<br /> <br /> Note that the problem described in this patch occurs since the<br /> introduction of the nfnetlink_queue conntrack support, select a<br /> sufficiently old Fixes: tag for -stable kernel to pick up this fix.