A recent discovery has led to the resolution of a significant vulnerability in the Linux kernel, specifically involving the _netfilter iptables_ component:
A report came in stating that iptables-restore would sometimes cause a null pointer dereference at boot time []. This issue arose due to the fact that iptable_nat_table_init() was exposed to user space before the kernel had fully initialized the netns component.
To avoid this problem, the proposed solution is to call register_pernet_subsys() before xt_register_template(). As a result, the kernel will no longer experience a null pointer dereference during the aforementioned race window.
Original references related to this vulnerability can be found at:
[]: Iptables restore log (truncated for brevity)
bpfilter: Loaded bpfilter_umh pid 11702
Started bpfilter
BUG: kernel NULL pointer dereference, address: 0000000000000013
? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)
? xt_find_table_lock (net/netfilter/x_tables.c:1259)
? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)
? page_fault_oops (arch/x86/mm/fault.c:727)
? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:147 arch/x86/mm/fault.c:1518)
? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)
? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat
xt_find_table_lock (net/netfilter/x_tables.c:1259)
xt_request_find_table_lock (net/netfilter/x_tables.c:1287)
get_info (net/ipv4/netfilter/ip_tables.c:965)
? security_capable (security/security.c:809 (discriminator 13))
? ns_capable (kernel/capability.c:376 kernel/capability.c:397)
? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)
? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter
nf_getsockopt (net/netfilter/nf_sockopt.c:116)
ip_getsockopt (net/ipv4/ip_sockglue.c:1827)
__sys_getsockopt (net/socket.c:2327)
__x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)
do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)
RIP: 0033:x7f62844685ee
Code: 48 8b d 45 28 f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e f 1f 84 00 00 00 00 00 90 f3 f 1e fa 49 89 ca b8 37 00 00 00 f 05 <48> 3d 00 f ff ff 77 a c3 66 f 1f 84 00 00 00 00 00 48 8b 15 09
RSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037
...
truncated---
<br><br>In conclusion, the CVE-2024-42270 vulnerability has been fixed by implementing a more careful execution order, thus eliminating the null pointer dereference issue in the Linux kernel netfilter iptables` component. This fix ultimately increases the stability and security of the system, particularly during the boot process.
Timeline
Published on: 08/17/2024 09:15:08 UTC
Last modified on: 08/19/2024 20:01:09 UTC