CVE-2023-52923 - Linux Kernel nf_tables Set Backend – The New GC Transaction API Explained

In late 2023, Linux kernel maintainers resolved a critical vulnerability, now tracked as CVE-2023-52923, that impacted the netfilter’s nftables subsystem. This vulnerability revolved around how set backends managed garbage collection (GC) in the kernel, exposing systems to potential issues due to a buggy GC API and the problematic “busy mark” mechanism.

This post will break down what changed, why it matters, and how the updated code works—using clear language, practical code snippets, and exclusive insight.

What Is nf_tables and Why Is GC Important?

nf_tables is the framework that powers firewalling in the Linux kernel. It uses sets (data structures) to optimize how rules are matched. As with all busy systems, old/stale set elements need cleaning up—a process managed by *garbage collection* (GC).

The old GC code was error-prone. If a set element was "busy" (being looked up/modified), the old logic could break down, leading to race conditions, memory leaks, or elements being visible after deletion. CVE-2023-52923 addresses these hazards.

A "busy mark" was used to label elements in-use.

- This was not always safe, especially in parallel/async operations.

Spotting The Change: Example Diff

Let's look at the heart of the fix. For clarity, here’s a simplified snippet inspired by the real commit:

Old (pre-fix) GC snippet

if (element->is_busy) {
   // Defer garbage collection
   continue;
}
release_set_element(element); // May race with lookups

New (post-fix) GC transaction snippet

element->flags |= NFT_SET_ELEM_DEAD;
queue_gc_transaction(element);
/* The element is now invisible to lookups, but only physically freed after safe RCU grace period */

Deactivate and remove set elements right away.

- After removal, they release memory using Linux’s RCU mechanism.

Before the fix

- Privilege escalation: An attacker could potentially access stale memory contents if elements aren't correctly cleaned up.

Technical References and Further Reading

- Official commit: netfilter: nf_tables: adapt set backend to use GC transaction API
- CVE-2023-52923 on NVD
- nf_tables documentation
- Understanding RCU

Recap: Why This Matters

This update for Linux’s nf_tables is more than a minor code tweak—it fundamentally improves the security and stability of Linux firewalls. By switching to a robust GC transaction API and using the _DEAD bit, the kernel's set element handling is now race-free, atomic, and much safer for systems at scale.

If you manage Linux servers or contribute to kernel code, upgrade your kernels now, and check your own application logic for similar stale-element pitfalls!


*Stay tuned to more in-depth vulnerability breakdowns!*

Timeline

Published on: 01/20/2025 11:15:07 UTC
Last modified on: 05/04/2025 07:46:05 UTC