CVE-2021-46992: Resolving Vulnerability in Linux Kernel Netfilter nftables

In the Linux kernel, an important vulnerability has been resolved that affects the netfilter subsystem, specifically the nftables implementation. The vulnerability is related to potential overflows in the nft_hash_buckets() function, and it has been assigned the identifier CVE-2021-46992. In this post, we will delve into the details concerning this vulnerability, its potential impact, and the resolution implemented by the Linux kernel maintainers. We will also provide links to the original references for further information.

The issue is centered around the number of buckets being stored in 32-bit variables in the nft_hash_buckets() function. To avoid overflows, it is essential that the function ensures no overflows occur when working with these 32-bit variables.

This vulnerability was discovered when syzbot, an automated tool that tests Linux kernel code, injected a size value of x40000000 (1 << 30) and reported the following:

UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'

This log shows that an undefined behavior sanitizer (UBSAN) check has been triggered, indicating an out-of-bounds shift operation in the code. As a result, there is a need for proper validation and handling of size values to prevent these overflows from occurring.

To address the issue, and as part of the patch applied to resolve the vulnerability, the function nft_hash_estimate() has been modified to ensure no overflows occur in the calculation of the number of buckets. In addition, changes have been made to properly handle and validate size values during the process of selecting the appropriate set operations.

The resolution of this vulnerability is important, as it improves the overall stability and security of the Linux kernel's netfilter subsystem, particularly in the context of nftables. Users running Linux kernels with versions pre-patch are advised to update their systems to a version that includes the patch or consider backporting the patch if they cannot upgrade their kernel. Links to the original references and details about the patch can be found in the official Linux kernel tree at the following commit and patch set:

- Commit: "netfilter: nftables: avoid overflows in nft_hash_buckets()"
- Patch Set: "net: netfilter: nft_set_hash: triggering UBSAN (nft_hash_buckets>NFT_HASH_BUCKETS_MAX)"

In conclusion, CVE-2021-46992 represents a significant vulnerability in the Linux kernel's netfilter subsystem concerning potential overflows in the nft_hash_buckets() function. Users are encouraged to update their systems to a kernel version that includes the necessary patches to mitigate this vulnerability or take appropriate steps to apply the patches manually, if an upgrade is not feasible. By doing so, one will ensure the increased stability and security of their Linux-based systems that rely on the netfilter subsystem and nftables.

Timeline

Published on: 02/28/2024 09:15:37 UTC
Last modified on: 05/29/2024 05:00:09 UTC