APPLIED: [SRU][N/M/J][PATCH 0/1] CVE-2024-26924

Roxana Nicolescu roxana.nicolescu at canonical.com
Mon May 27 07:27:09 UTC 2024 

On 23/05/2024 00:19, Bethany Jamison wrote:
> [Impact]
>
> netfilter: nft_set_pipapo: do not free live element
>
> Pablo reports a crash with large batches of elements with a
> back-to-back add/remove pattern.  Quoting Pablo:
>
>    add_elem("00000000") timeout 100 ms
>    ...
>    add_elem("0000000X") timeout 100 ms
>    del_elem("0000000X") <---------------- delete one that was just added
>    ...
>    add_elem("00005000") timeout 100 ms
>
>    1) nft_pipapo_remove() removes element 0000000X
>    Then, KASAN shows a splat.
>
> Looking at the remove function there is a chance that we will drop a
> rule that maps to a non-deactivated element.
>
> Removal happens in two steps, first we do a lookup for key k and return the
> to-be-removed element and mark it as inactive in the next generation.
> Then, in a second step, the element gets removed from the set/map.
>
> The _remove function does not work correctly if we have more than one
> element that share the same key.
>
> This can happen if we insert an element into a set when the set already
> holds an element with same key, but the element mapping to the existing
> key has timed out or is not active in the next generation.
>
> In such case its possible that removal will unmap the wrong element.
> If this happens, we will leak the non-deactivated element, it becomes
> unreachable.
>
> The element that got deactivated (and will be freed later) will
> remain reachable in the set data structure, this can result in
> a crash when such an element is retrieved during lookup (stale
> pointer).
>
> Add a check that the fully matching key does in fact map to the element
> that we have marked as inactive in the deactivation step.
> If not, we need to continue searching.
>
> Add a bug/warn trap at the end of the function as well, the remove
> function must not ever be called with an invisible/unreachable/non-existent
> element.
>
> v2: avoid uneeded temporary variable (Stefano)
>
> [Fix]
>
> Noble:	Clean cherry-pick from linux.6.8.y
> Mantic:	Noble patch applied cleanly
> Jammy:	Noble patch applied cleanly
> Focal:	not-affected
> Bionic:	not-affected
> Xenial:	not-affected
> Trusty:	not-affected
>
> [Test Case]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> This fix affects those who use the Netfilter framework when setting
> PIPAPO (PIle PAcket POlicies), an issue with this fix would be
> visible to the user via a system crash.
>
> Florian Westphal (1):
>    netfilter: nft_set_pipapo: do not free live element
>
>   net/netfilter/nft_set_pipapo.c | 14 +++++++++-----
>   1 file changed, 9 insertions(+), 5 deletions(-)
>
Applied to noble:linux, mantic:linux, jammy:linux master-next branches. 
Thanks!

More information about the kernel-team mailing list