The Linux kernel is an ever-evolving piece of software powering millions of devices worldwide. Recently, a vulnerability has been discovered and resolved in the netfilter nf_tables subsystem. This vulnerability, tracked as CVE-2024-27020, reveals a potential data-race in the __nft_expr_type_get() function, which may lead to undesirable outcomes. This post will provide an overview of the issue, the solution implemented, snippets of code changes, and relevant references to help developers and security researchers understand the exploit details.

Exploit Details

In the Linux kernel netfilter subsystem, the nf_tables module is responsible for implementing the expression types and their corresponding operations. The __nft_expr_type_get() function is called to retrieve the type of an expression, but there exists a potential data-race when nft_unregister_expr() is called concurrently.

While iterating over the nf_tables_expressions list in __nft_expr_type_get(), there is no protection in place to ensure consistency, and a concurrent nft_unregister_expr() call can create a data-race on the nf_tables_expressions list entry.

/* Vulnerable code in __nft_expr_type_get() */
list_for_each_entry(t, &nf_tables_expressions[type], list) {
	if (t->type == type && t->family == family) {
		if (!try_module_get(t->owner))
			return ERR_PTR(-ENOENT);

		return t;
	}
}

The Solution

The solution implemented deals with this data-race through the use of list_for_each_entry_rcu() instead of list_for_each_entry() to iterate over the nf_tables_expressions list within __nft_expr_type_get(). Additionally, rcu_read_lock() is called within the caller nft_expr_type_get() to protect the entire type query process.

/* Patched code in __nft_expr_type_get() */
list_for_each_entry_rcu(t, &nf_tables_expressions[type], list) {
	if (t->type == type && t->family == family) {
		if (!try_module_get(t->owner))
			return ERR_PTR(-ENOENT);

		return t;
	}
}

With the above code change in place, the nf_tables_expressions list is protected against the data-race, and the overall stability of the netfilter nf_tables subsystem is improved.

References

For a more detailed understanding of the exploit and in-depth information on the code changes, refer to the following resources:

1. The Linux kernel commit that resolves the issue: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=770f54722b90abff3c62bdefcf9ca3b6f9d8dfd
2. Documentation for nf_tables module: https://www.kernel.org/doc/Documentation/networking/nf_tables.txt

It's essential to keep yourself updated on such vulnerability fixes to ensure the security and stability of the systems you work with. With the resolution of CVE-2024-27020, the Linux kernel team continues its ongoing efforts in maintaining a robust and secure operating system.

Timeline

Published on: 05/01/2024 06:15:20 UTC
Last modified on: 06/27/2024 12:15:23 UTC