Recently, the Linux kernel has resolved a vulnerability related to the netfilter module and its nf_tables subsystem. The vulnerability revolved around the issue of restoring set elements when the delete set fails. From the abort path, the function nft_mapelem_activate() needs to restore refcounters to the original state. However, this was not being done correctly due to issues with the set iterator that skips inactive elements in the next generation.
To resolve this vulnerability, a patch was released. The patch moves the check for inactive elements to the set iterator callback. It then reverses the logic for the .activate case which needs to skip active elements instead of inactive ones.
Additionally, the next generation bit for elements is toggled when delete set command is invoked. The nft_clear() function is also called from the .activate (abort) path to restore the next generation bit.
The impact of this vulnerability can be seen in the splat below, which demonstrates an object in the mappings memleak:
[Code snippet from the text]
This bug could potentially lead to memory leaks and instability in Linux systems using nf_tables, which is a widely used mechanism for implementing firewall rules and network address translation (NAT) on Linux servers.
For more information on the netfilter module and nf_tables subsystem in the Linux kernel
- Netfilter Project Homepage
- nf_tables Documentation
- Linux Kernel Source Code Repository
The patch for this vulnerability can be found on the Linux Kernel Mailing List and in the kernel source code repository.
Users and administrators of Linux-based systems should review their environment and update the kernel to the latest patched version as soon as possible to prevent any potential exploits utilizing this vulnerability.
Timeline
Published on: 05/01/2024 06:15:19 UTC
Last modified on: 06/14/2024 18:56:19 UTC