I don't understand, does this lead to privilege escalation by parsing a crafted netfilter rule? I am under the impression that I need NET_CAP_ADMIN or root privs to do this on my machines to load said rule anyway, right? So this affects deployments where regular users are able to do send netfilter rules to the kernel, right?
> In order for an unprivileged attacker to exploit this issue, unprivileged user- and network namespaces access is required (CLONE_NEWUSER | CLONE_NEWNET)
My understanding is that you can supply netfilter code which reads/writes to a register memory which is outside of the registers struct. So the rules bytecode you provide can do out-of-bounds access when the rule is executed, rather than when parsed.
You can either do this as NET_CAP_ADMIN, or when you create your own user+network namespace as an unprivileged user. (which may not be allowed on your system either)
With user namespaces all of that is accessible now. For decades upstream hasn't cared about privesc let alone root -> kernel privesc, but now everyone's root lol
