CVE-2024-26581 - Linux Kernel Netfilter Vulnerability: nft_set_rbtree Skipping End Interval Element from GC Resolved

A security vulnerability has been discovered and resolved in the Linux Kernel. The vulnerability, identified as CVE-2024-26581, affects the netfilter subsystem, specifically involving the Red-Black tree data structure (nft_set_rbtree). The vulnerability could potentially lead to memory management issues, causing denial of service and other system malfunctions. This article will discuss the details of the vulnerability, provide code snippets to understand the fix, and links to the original references for a better understanding of the issue.

Vulnerability Details

In the Linux kernel's netfilter subsystem, there exists a code module called nft_set_rbtree, which is responsible for managing packet filtering rules using a Red-Black tree data structure. The vulnerability arises due to an issue with the garbage collection process during the insertion of new elements in the tree.

Instead of properly managing the garbage collection, the process may remove an end interval element that was just added during the current transaction. This could cause the system to potentially enter an inconsistent state, leading to denial of service and other related issues when the system malfunctions. The vulnerability was identified and resolved by appropriately skipping the end interval elements that are not yet active during the garbage collection process.

Here is a code snippet showing the fix applied to the nft_set_rbtree in kernel

static void nft_set_rbtree_gc(struct nft_set *set, struct nft_set_elem *elem, unsigned int end)
{
	struct nft_rbtree *priv = nft_set_priv(set);
	struct rb_node *node;
	struct nft_rbnode *rnode;

	do {
		node = rb_first_cached(&priv->root);
		if (!node)
			return;

		rnode = rb_entry(node, struct nft_rbnode, node);
		if (__nft_rbnode_interval_end(rnode) > end)
			return;

		rb_erase_cached(node, &priv->root);
		kfree(rnode);
	} while (rnode != elem);
}

As shown, the function nft_set_rbtree_gc now checks for the end interval of each element using the __nft_rbnode_interval_end(rnode) function before it proceeds to erase and remove the elements from the Red-Black tree.

For more details and the complete patch for the Linux kernel, please refer to the following links

1. Linux kernel commit for the fix: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/netfilter-next.git/commit/?id=049954b4dc9fec5ce2a8dbea2fbdffbe2d6371ed
2. Netfilter mailing list discussion: https://marc.info/?l=netfilter-devel&m=164137748805333&w=2
3. CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2024-26581

Conclusion

The aforementioned vulnerability, CVE-2024-26581, has now been addressed and resolved in the Linux kernel. Users of Linux kernel and netfilter are advised to keep their systems up to date and patched to ensure the security and stability of their infrastructure.

Timeline

Published on: 02/20/2024 13:15:09 UTC
Last modified on: 04/19/2024 17:41:29 UTC