The Linux kernel is the core component of the Linux operating system, and its security is of utmost importance. In a recent patch, a vulnerability (CVE-2023-52923) related to the netfilter subsystem in the Linux kernel has been addressed. Netfilter is a crucial part of the networking stack in the Linux kernel, which is responsible for filtering and processing network packets.

The vulnerability affects how the netfilter subsystem interacts with nf_tables, which is a newer and more flexible framework for packet filtering in the Linux kernel. The vulnerability has been resolved by improving how the set backend is implemented, specifically by adopting the Garbage Collection (GC) transaction API.

In this post, we will provide a detailed overview of CVE-2023-52923, including the original references, the relevant code snippet, and the exploit details. Read on to learn more.

Vulnerability Details

The original problem was related to the garbage collection (GC) mechanism in the netfilter subsystem, which relied on an older and buggy GC API and a "busy mark" approach. This old mechanism caused certain set elements (i.e., rules in the packet filtering ruleset) to not be removed properly during asynchronous garbage collection.

To fix this issue, the GC transaction API has been adopted, leading to the following improvements

1. No set elements are removed during asynchronous garbage collection anymore. Instead, a _DEAD bit is set on the set element, making it invisible for lookup operations.

2. Asynchronous GC now enqueues transaction work that can be aborted and retried later, improving the overall performance and stability of the system.

3. Synchronous (or "control plane") garbage collection for rbtree and pipapo set backends does not set the _DEAD bit, since it runs with a mutex held. In this case, set elements are deactivated, removed, and then released via an RCU callback. Importantly, this ensures that synchronous GC never fails.

Code Snippet

The following code snippet demonstrates the core changes made to address CVE-2023-52923 in the set backend:

static void rbtree_gc(struct nft_set *set,
		       struct nft_set_gc_batch *gc_batch) {

...

    while (skb_queue_len(&gc_queue) < gc_batch->limit) {
        struct rb_node *next = rb_next(node);
	
        if (nft_set_elem_expired(&set_elem))
	    nf_set_elem_mark_dead(node, set);

        else
	    skb_queue_tail(&gc_queue, (struct sk_buff *)set_elem.priv);
    }
}

Original References & Resources

The vulnerability has been resolved in the mainline Linux kernel as part of the following patch: netfilter: nf_tables: adapt set backend to use GC transaction API

Further information regarding the nf_tables framework and other related details can be found in the official Linux kernel documentation: Linux kernel networking - nftables

Exploit Details

There are no known exploits targeting CVE-2023-52923 at the time of writing. However, keeping your Linux kernel updated and patched is vital to ensuring the security, stability, and efficiency of your system.

Conclusion

CVE-2023-52923 highlights the importance of keeping the core components of the Linux kernel up-to-date and secure. The adoption of the GC transaction API in the set backend of the netfilter subsystem resolves the vulnerability, effectively ensuring the robustness of the packet filtering mechanism in the Linux kernel. To minimize the potential risk, it is strongly recommended that you update your kernel to the latest version available.

Timeline

Published on: 01/20/2025 11:15:07 UTC