ACK: [SRU][N/M/J][PATCH 0/1] CVE-2024-26924

Andrei Gherzan andrei.gherzan at canonical.com
Thu May 23 09:56:14 UTC 2024 

On 24/05/22 05:19pm, Bethany Jamison wrote:
> [Impact]
> 
> netfilter: nft_set_pipapo: do not free live element
> 
> Pablo reports a crash with large batches of elements with a
> back-to-back add/remove pattern.  Quoting Pablo:
> 
>   add_elem("00000000") timeout 100 ms
>   ...
>   add_elem("0000000X") timeout 100 ms
>   del_elem("0000000X") <---------------- delete one that was just added
>   ...
>   add_elem("00005000") timeout 100 ms
> 
>   1) nft_pipapo_remove() removes element 0000000X
>   Then, KASAN shows a splat.
> 
> Looking at the remove function there is a chance that we will drop a
> rule that maps to a non-deactivated element.
> 
> Removal happens in two steps, first we do a lookup for key k and return the
> to-be-removed element and mark it as inactive in the next generation.
> Then, in a second step, the element gets removed from the set/map.
> 
> The _remove function does not work correctly if we have more than one
> element that share the same key.
> 
> This can happen if we insert an element into a set when the set already
> holds an element with same key, but the element mapping to the existing
> key has timed out or is not active in the next generation.
> 
> In such case its possible that removal will unmap the wrong element.
> If this happens, we will leak the non-deactivated element, it becomes
> unreachable.
> 
> The element that got deactivated (and will be freed later) will
> remain reachable in the set data structure, this can result in
> a crash when such an element is retrieved during lookup (stale
> pointer).
> 
> Add a check that the fully matching key does in fact map to the element
> that we have marked as inactive in the deactivation step.
> If not, we need to continue searching.
> 
> Add a bug/warn trap at the end of the function as well, the remove
> function must not ever be called with an invisible/unreachable/non-existent
> element.
> 
> v2: avoid uneeded temporary variable (Stefano)
> 
> [Fix]
> 
> Noble:	Clean cherry-pick from linux.6.8.y
> Mantic:	Noble patch applied cleanly
> Jammy:	Noble patch applied cleanly
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the Netfilter framework when setting 
> PIPAPO (PIle PAcket POlicies), an issue with this fix would be 
> visible to the user via a system crash.
> 
> Florian Westphal (1):
>   netfilter: nft_set_pipapo: do not free live element
> 
>  net/netfilter/nft_set_pipapo.c | 14 +++++++++-----
>  1 file changed, 9 insertions(+), 5 deletions(-)

Acked-by: Andrei Gherzan <andrei.gherzan at canonical.com>

-- 
Andrei Gherzan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240523/6f4417c7/attachment.sig>

More information about the kernel-team mailing list