ghsa-4rw8-6238-r9gq
Vulnerability from github
Published
2025-02-05 12:33
Modified
2025-02-05 12:33
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: don't skip expired elements during walk

There is an asymmetry between commit/abort and preparation phase if the following conditions are met:

  1. set is a verdict map ("1.2.3.4 : jump foo")
  2. timeouts are enabled

In this case, following sequence is problematic:

  1. element E in set S refers to chain C
  2. userspace requests removal of set S
  3. kernel does a set walk to decrement chain->use count for all elements from preparation phase
  4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase)

If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed.

Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure.

Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-52924"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-05T10:15:21Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: don\u0027t skip expired elements during walk\n\nThere is an asymmetry between commit/abort and preparation phase if the\nfollowing conditions are met:\n\n1. set is a verdict map (\"1.2.3.4 : jump foo\")\n2. timeouts are enabled\n\nIn this case, following sequence is problematic:\n\n1. element E in set S refers to chain C\n2. userspace requests removal of set S\n3. kernel does a set walk to decrement chain-\u003euse count for all elements\n   from preparation phase\n4. kernel does another set walk to remove elements from the commit phase\n   (or another walk to do a chain-\u003euse increment for all elements from\n    abort phase)\n\nIf E has already expired in 1), it will be ignored during list walk, so its use count\nwon\u0027t have been changed.\n\nThen, when set is culled, -\u003edestroy callback will zap the element via\nnf_tables_set_elem_destroy(), but this function is only safe for\nelements that have been deactivated earlier from the preparation phase:\nlack of earlier deactivate removes the element but leaks the chain use\ncount, which results in a WARN splat when the chain gets removed later,\nplus a leak of the nft_chain structure.\n\nUpdate pipapo_get() not to skip expired elements, otherwise flush\ncommand reports bogus ENOENT errors.",
  "id": "GHSA-4rw8-6238-r9gq",
  "modified": "2025-02-05T12:33:06Z",
  "published": "2025-02-05T12:33:06Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52924"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1da4874d05da1526b11b82fc7f3c7ac38749ddf8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/24138933b97b055d486e8064b4a1721702442a9b"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/59dab3bf0b8fc08eb802721c0532f13dd89209b8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7c7e658a36f8b1522bd3586d8137e5f93a25ddc5"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/94313a196b44184b5b52c1876da6a537701b425a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b15ea4017af82011dd55225ce77cce3d4dfc169c"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/bd156ce9553dcaf2d6ee2c825d1a5a1718e86524"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.