CVE-2023-52924 - Linux Kernel netfilter Vulnerability: nf_tables Expired Set Elements

A vulnerability, CVE-2023-52924, has been discovered and resolved in the Linux kernel's netfilter subsystem. This post will discuss the details of the vulnerability, code snippets related to the issue, links to original references, and information about the exploit.

Details

The vulnerability is related to the Linux kernel's netfilter, specifically, nf_tables. The issue lies in the handling of expired elements during a walk of the set. This can cause problems when the following conditions are met:

Kernel does a set walk to decrement chain->use count for all elements from the preparation phase

4. Kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from the abort phase)

If element E has already expired during step 1, it will be ignored during the list walk, resulting in an unmodified use count.

When the set is culled, the ->destroy callback will attempt to remove element E via nf_tables_set_elem_destroy(). However, this function is only safe for elements that have been deactivated earlier from the preparation phase. The lack of a previous deactivate call results in the element being removed, but the chain use count gets leaked. This ultimately leads to a WARN splat when the chain is later removed, and a leak of the nft_chain structure.

Resolution

To resolve the vulnerability, the pipapo_get() function must be updated not to skip expired elements, otherwise, the flush command will report incorrect ENOENT errors.

The original code for the pipapo_get() function might look something like this

if (nft_set_elem_expired(ext)) {
    rcu_read_unlock();
    return ERR_PTR(-ENOENT);
}

To fix the vulnerability, this part should be removed so that the function no longer skips expired elements.

References

1. Original patch submission resolving netfilter: nf_tables vulnerability: https://www.spinics.net/lists/netfilter-devel/msg64956.html
2. Linux kernel netfilter documentation: https://www.kernel.org/doc/html/latest/networking/netfilter.html

Exploit Details

Currently, there are no known public exploits available for this vulnerability. However, an attacker with knowledge of this issue could potentially abuse it to cause denial of service, resource leaks, and potentially further exploits. The best course of action is to apply the available patch or update the kernel to a version containing the fix.

Timeline

Published on: 02/05/2025 10:15:21 UTC