Hi, On Wed, May 08, 2024 at 12:42:57AM +0800, HexRabbit Chen wrote: > Hello, > > I found a locking issue in nf_tables set element GC implementation and > exploited it in kernelCTF. The bug breaks the sequence number assumption > in set asynchronous GC, which can be used to cause double free, and > leads to local privilege escalation. > > Introduced in v6.5: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=720344340fb9 > > Fixed in v6.9-rc3: > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=0d459e2ffb54
Should be noted that this though has been backported to stable series: 5.4.262, 5.10.198, 5.15.134, 6.1.56, 6.4.13 but equally the fix in 5.4.274, 5.10.215, 5.15.155, 6.1.86, 6.6.26, 6.8.5. Regards. Salvatore
