CVE-2024-26809 - Linux Kernel netfilter Vulnerability: nft_set_pipapo Double Release Fixed

In recent Linux kernel development, a vulnerability designated as CVE-2024-26809 has been identified and resolved. This particular vulnerability was found in the netfilter subsystem and was related to the 'nft_set_pipapo' functionality. The issue could potentially lead to a double release of elements when destroying a set in certain situations, resulting in unforeseen consequences for the system.

In this post, we will be covering the details of the vulnerability, related code snippets, and the fixes applied to ensure the safe and secure functioning of the affected subsystem in the Linux kernel.

The Vulnerability

The CVE-2024-26809 vulnerability was discovered in the netfilter subsystem of the Linux kernel. Specifically, the vulnerability is related to the nft_set_pipapo function. Prior to the fix, it was possible to destroy elements twice when destroying a set, due to the improper handling of the cloning process. This improper handling could eventually lead to memory corruption, which in turn could potentially be exploited by a local attacker to gain unauthorized access or control over the affected system.

Original References

Before diving into the code snippets and fix details, here are the original references for the vulnerability and the fixes as published in the Linux kernel changelog:

- netfilter: nft_set_pipapo: release elements in clone only from destroy path
- netfilter: nf_tables: integrate pipapo into commit protocol

Code Snippet

In order to understand the vulnerability and the fix for CVE-2024-26809, let's take a look at the following code snippet, which demonstrates the logic behind the cloning process in the nft_set_pipapo function:

struct nft_set *nft_set_pipapo_clone(const struct net *net,
				      const struct nft_set *set,
				      u32 flags, u32 size)
{
	...
	nft_set_pipapo_destroy(clone);
	...
}

As we can see from the snippet above, the destruction of the set using the "nft_set_pipapo_destroy" function is not being correctly handled in the cloning process. This leads to the possibility of elements being destroyed twice, which is the crux of the CVE-2024-26809 vulnerability.

The Fix

To address this issue, the kernel developers incorporated several changes. First, they ensured that the cloning process always provides a current view of the lookup table, as denoted by the following commit message:

> Clone already always provides a current view of the lookup table, use it to destroy the set, otherwise it is possible to destroy elements twice.

In addition, they also added a dependency on another fix, which was done in previous kernel versions

- The fix requires: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
- This fix came after: 9827ae6e23b ("netfilter: nft_set_pipapo: release elements in clone from abort path")

With these changes implemented, it has effectively addressed the CVE-2024-26809 vulnerability, mitigating the risk of memory corruption and potential exploitation by malicious actors.

To ensure your system is secured against CVE-2024-26809, it is recommended that you update your Linux kernel to a version that incorporates these fixes or apply the kernel patches outlined in this post to your custom kernel build.

Timeline

Published on: 04/04/2024 10:15:09 UTC
Last modified on: 06/25/2024 23:15:25 UTC