A vulnerability (CVE-2021-46913) was discovered and resolved in the Linux kernel's netfilter subsystem, specifically within the nftables module's handling of connlimit set elements. The issue was related to the improper use of memcpy(), which led to issues with connlimit garbage collection. This post will provide an overview of the vulnerability, relevant code snippets, links to original references, and exploit details. The Linux kernel has since been patched to address this issue.
Vulnerability Description
In the Linux kernel's netfilter subsystem, the nftables module is responsible for managing and configuring packet filtering and classification. The vulnerability was discovered in the handling of set element expressions, specifically when using connlimit in set elements. The memcpy() function was improperly used, causing issues with the connlimit garbage collector during its walk of the list head copy. The resolution of the issue involves using nft_expr_clone() to initialize the connlimit expression list instead.
The following error message appeared when this vulnerability was exploited
[ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
[ 493.064685] RIP: 001:find_or_evict+x5a/x90 [nf_conncount]
...
The issue can be observed in the following code snippet
memcpy() breaks when using connlimit in set elements. Use
nft_expr_clone() to initialize the connlimit expression list, otherwise
connlimit garbage collector crashes when walking on the list head copy.
Resolution
The resolution of this issue was to replace the improper use of memcpy() with the nft_expr_clone() function. This allows for the correct initialization of the connlimit expression list, preventing the connlimit garbage collector from crashing when walking on the list head copy.
Links to Original References
1. The official announcement of the vulnerability and its resolution can be found in the Linux kernel mailing list: Linux-Kernel Mailing List
2. The patch for fixing this vulnerability is available at this Git Commit
Exploit Details
Exploiting this vulnerability would involve an attacker sending crafted network packets to trigger the connlimit garbage collector bug, potentially causing a system crash or allowing the attacker to execute arbitrary code on the affected device. To date, there have been no publicly available exploits for CVE-2021-46913, and no known cases of active exploitation in the wild.
Conclusion
With the discovery and resolution of CVE-2021-46913, Linux kernel developers have addressed a vulnerability in the netfilter subsystem that could have potentially led to a system crash or the execution of arbitrary code. Users and administrators are strongly recommended to update their Linux kernels to the latest version, which includes the patch for this vulnerability.
Timeline
Published on: 02/27/2024 07:15:07 UTC
Last modified on: 04/10/2024 13:45:03 UTC