CVE-2023-54243

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: ebtables: fix table blob use-after-free<br /> <br /> We are not allowed to return an error at this point.<br /> Looking at the code it looks like ret is always 0 at this<br /> point, but its not.<br /> <br /> t = find_table_lock(net, repl-&gt;name, &amp;ret, &amp;ebt_mutex);<br /> <br /> ... this can return a valid table, with ret != 0.<br /> <br /> This bug causes update of table-&gt;private with the new<br /> blob, but then frees the blob right away in the caller.<br /> <br /> Syzbot report:<br /> <br /> BUG: KASAN: vmalloc-out-of-bounds in __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168<br /> Read of size 4 at addr ffffc90005425000 by task kworker/u4:4/74<br /> Workqueue: netns cleanup_net<br /> Call Trace:<br /> kasan_report+0xbf/0x1f0 mm/kasan/report.c:517<br /> __ebt_unregister_table+0xc00/0xcd0 net/bridge/netfilter/ebtables.c:1168<br /> ebt_unregister_table+0x35/0x40 net/bridge/netfilter/ebtables.c:1372<br /> ops_exit_list+0xb0/0x170 net/core/net_namespace.c:169<br /> cleanup_net+0x4ee/0xb10 net/core/net_namespace.c:613<br /> ...<br /> <br /> ip(6)tables appears to be ok (ret should be 0 at this point) but make<br /> this more obvious.