A recently resolved vulnerability in the Linux kernel, specifically in the netfilter's nft_set_pipapo, has been brought to light by Pablo. The issue revolves around a crash that occurs with large batches of elements, characterized by a back-to-back add/remove pattern. This long read post will provide an in-depth understanding of this vulnerability and discuss how it has been resolved in the kernel, along with links to original references and exploit details.

Original Report

Pablo reported a crash involving large batches of elements with a back-to-back add/remove pattern, quoting the following sequence of events:

add_elem("00000000") timeout 100 ms
...
add_elem("000000X") timeout 100 ms
del_elem("000000X") <---------------- delete one that was just added
...
add_elem("00005000") timeout 100 ms

Further investigation found that:

Problem Description

Looking at the remove function, it is observed that there is a chance of dropping a rule mapping to a non-deactivated element. The removal process takes place in two steps. First, a lookup for key 'k' is performed, returning the element to be removed and marking it as inactive in the next generation. Consequently, in the second step, the element is removed from the set/map.

The _remove function does not work correctly when multiple elements share the same key. This can occur if an element is inserted into a set when the set already holds an element with the same key, but the element mapping to the existing key has timed out or is not active in the next generation.

In this situation, it is possible that the removal will unmap the wrong element. If this occurs, the non-deactivated element will be leaked and become unreachable. The element that was deactivated (and will be freed later) remains reachable in the set data structure, which can result in a crash during lookup as a stale pointer is produced.

Solution

To address this vulnerability, a check was added to ensure that the fully matching key maps to the element marked as inactive in the deactivation step. If this is not the case, the search must continue. Additionally, a bug/warn trap has been added at the end of the function, ensuring that the remove function is never called with an invisible, unreachable, or non-existent element.

- Linux Kernel Mailing List (LKML) Discussion
- Kernel.org Commit

Conclusion

This report highlights the recently resolved vulnerability, CVE-2024-26924, found in the Linux kernel. Proper understanding and application of the updated code will ensure that this vulnerability no longer poses a threat to the system's stability.

Timeline

Published on: 04/25/2024 06:15:57 UTC
Last modified on: 07/03/2024 01:50:00 UTC