)]}'
{
  "commit": "fb58ee65b976db7511889e450eea774c01a7e705",
  "tree": "ed62004b38627bbc00750d38e2fddd6f4c003b62",
  "parents": [
    "ce569de41b3ede58fe7996ac948945564a015299"
  ],
  "author": {
    "name": "Andrew Fasano",
    "email": "andrew.fasano@nist.gov",
    "time": "Wed Feb 04 17:46:58 2026 +0100"
  },
  "committer": {
    "name": "Cloud Image Release",
    "email": "cloud-image-release@prod.google.com",
    "time": "Fri Feb 13 11:02:32 2026 -0800"
  },
  "message": "netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()\n\nnft_map_catchall_activate() has an inverted element activity check\ncompared to its non-catchall counterpart nft_mapelem_activate() and\ncompared to what is logically required.\n\nnft_map_catchall_activate() is called from the abort path to re-activate\ncatchall map elements that were deactivated during a failed transaction.\nIt should skip elements that are already active (they don\u0027t need\nre-activation) and process elements that are inactive (they need to be\nrestored). Instead, the current code does the opposite: it skips inactive\nelements and processes active ones.\n\nCompare the non-catchall activate callback, which is correct:\n\n  nft_mapelem_activate():\n    if (nft_set_elem_active(ext, iter-\u003egenmask))\n        return 0;   /* skip active, process inactive */\n\nWith the buggy catchall version:\n\n  nft_map_catchall_activate():\n    if (!nft_set_elem_active(ext, genmask))\n        continue;   /* skip inactive, process active */\n\nThe consequence is that when a DELSET operation is aborted,\nnft_setelem_data_activate() is never called for the catchall element.\nFor NFT_GOTO verdict elements, this means nft_data_hold() is never\ncalled to restore the chain-\u003euse reference count. Each abort cycle\npermanently decrements chain-\u003euse. Once chain-\u003euse reaches zero,\nDELCHAIN succeeds and frees the chain while catchall verdict elements\nstill reference it, resulting in a use-after-free.\n\nThis is exploitable for local privilege escalation from an unprivileged\nuser via user namespaces + nftables on distributions that enable\nCONFIG_USER_NS and CONFIG_NF_TABLES.\n\nFix by removing the negation so the check matches nft_mapelem_activate():\nskip active elements, process inactive ones.\n\nBUG\u003db/483615818\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed KCTF-f41c5d1 in the Linux kernel.\n\ncos-patch: security-high\nFixes: 628bd3e49cba (\"netfilter: nf_tables: drop map element references from preparation phase\")\nChange-Id: I5abba1802e23a51c1ad5ccf484f1dfdc0fd43b08\nSigned-off-by: Andrew Fasano \u003candrew.fasano@nist.gov\u003e\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/131522\nReviewed-by: Angel Adetula \u003cangeladetula@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nMain-Branch-Verified: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/131905\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "c00dd7dae5cb96301d1000d78ba8f3e1a0b1dd6f",
      "old_mode": 33188,
      "old_path": "net/netfilter/nf_tables_api.c",
      "new_id": "120d9bd53321ca5d2e010bba41d1b10ccc9b96e9",
      "new_mode": 33188,
      "new_path": "net/netfilter/nf_tables_api.c"
    }
  ]
}