CVE-2024-35900 - Resolving Netfilter Vulnerability in the Linux Kernel

Overview

In the Linux kernel, a recently resolved vulnerability deals with the netfilter component, specifically with nf_tables. This post aims to provide a comprehensive breakdown of the vulnerability and how it has been addressed. The vulnerability concerns a potential inconsistent state in the nf_tables, which could trigger a warning when attempting to unregister a chain that is already unregistered. The fix ensures that this situation is handled appropriately to prevent the warning and maintain the integrity of the Linux kernel.

The full details of the issue, a code snippet that illustrates the vulnerability, and the exploit details can be found below.

Exploit Details

The vulnerability lies in the netfilter component in the Linux kernel, which in this instance concerns nf_tables. The issue arises when a dormant flag is toggled, disabling hooks in the commit phase by iterating over current chains in the table (existing and new). The following configuration allows for an inconsistent state:

add table x
add chain x y { type filter hook input priority ; }
add table x { flags dormant; }
add chain x w { type filter hook input priority 1; }

This particular configuration leads to the triggering of a warning when attempting to unregister chain w which is already unregistered. The warning can be observed in the console output provided below:

[  127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50                                                                     1 __nf_unregister_net_hook+x21a/x260
[...]
[  127.322519] Call Trace:
[  127.322521]  <TASK>
[  127.322524]  ? __warn+x9f/x1a
[  127.322531]  ? __nf_unregister_net_hook+x21a/x260
[  127.322537]  ? report_bug+x1b1/x1e
[  127.322545]  ? handle_bug+x3c/x70
[  127.322552]  ? exc_invalid_op+x17/x40
[  127.322556]  ? asm_exc_invalid_op+x1a/x20
[  127.322563]  ? kasan_save_free_info+x3b/x60
[  127.322570]  ? __nf_unregister_net_hook+x6a/x260
[  127.322577]  ? __nf_unregister_net_hook+x21a/x260
[  127.322583]  ? __nf_unregister_net_hook+x6a/x260
[  127.322590]  ? __nf_tables_unregister_hook+x8a/xe [nf_tables]
[  127.322655]  nft_table_disable+x75/xf [nf_tables]
[  127.322717]  nf_tables_commit+x2571/x262 [nf_tables]

Resolution

The vulnerability was addressed by ensuring that new basechain is rejected after the table flag update. By implementing this fix, the inconsistent state that previously occurred is now avoided, eliminating the warning and ensuring the integrity of the Linux kernel.

Conclusion

Understanding and resolving vulnerabilities such as the one discussed in this post is crucial to maintaining the security, stability, and overall integrity of the Linux kernel. It is essential that developers stay up-to-date regarding any discovered and resolved vulnerabilities in order to ensure the software they are working with remains secure and reliable.

For original references and further information, consider visiting the following links

- Netfilter
- nf_tables
- Linux kernel

Timeline

Published on: 05/19/2024 09:15:10 UTC
Last modified on: 06/25/2024 22:15:32 UTC