google
Add kernelCTF CVE-2023-52925_mitigaiton
Hi, in your submission you claim that commit 24138933b97b055d486e8064b4a1721702442a9b introduced the bug. That is not possible because you exploited the bug against v6.1.55 which does not have that commit. You even submitted a different exploit (#164) targeting the same instance where you claim that 24138933b97b055d486e8064b4a1721702442a9b fixes the bug that you exploited.
Please find out what the is the commit that introduced the vulnerability and update your submission.
Hello,
Thank you for reviewing my PR.
I wrote 24138933b97b (“netfilter: nf_tables: don't skip expired elements during walk”) as a vulnerability introducing commit to vulnerability.md because it was in the fixes tag of the patch commit, but the vulnerability was actually introduced by 3c4287f620 (“nf_tables: Add set type for arbitrary concatenation of ranges”). So I updated vulnerability.md accordingly.
I also have updated write-up based on the comments.
Please check it.
Thanks
This could use some more comments in the trigger function, which is pretty long and doesn't have any comments that explain what each part is doing. In addition the writeup needs an explanation of how not removing an element from the set leads to UaF. When nft_pipapo_remove returns early because pipapo_get returns an error shouldn't the set element simply remain in the set? Why does this cause UaF instead?
Hi, I added some comments to the trigger function. I also added a more detailed description in the exploit.md. The UAF is triggered by creating a dangling pointer to nft_chain.
Thank you for the changes, they look good! I merged the PR, you will get an email about the second half of the reward soon.
