CVE-2024-26643: Fixing a Race Condition Vulnerability in the Linux Kernel with Netfilter nf_tables

A security vulnerability, identified as CVE-2024-26643, has been discovered and resolved in the Linux kernel. The vulnerability was found in the netfilter nf_tables subsystem, specifically in the handling of anonymous sets with a timeout. This post will provide an overview of the vulnerability, code snippets to illustrate the issue and the fix, links to original references, and details about the exploit.

Vulnerability Details

In the Linux kernel, the netfilter nf_tables subsystem is affected by a race condition vulnerability when unbinding anonymous sets with a timeout. Essentially, the rhashtable set garbage collection (GC) can collect elements from anonymous sets with timeouts while it is being released from the commit path.

Original References

Mingi Cho originally reported this issue in a different path in version 6.1.x with a pipapo set with low timeouts. However, this is not possible upstream since the commit 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout").

Florian Westphal indicated in the commit 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort") that he plans to accelerate the abort path by releasing objects via a workqueue.

Code Snippet

To fix this issue, the developers set the dead flag for anonymous sets, which will skip the async GC in this case. The dead flag is also set for the abort path.

Here is an example of the code modification

static void nft_set_commit(struct nft_set *set, u32 timeout)
{
         /* ... */

         if (nft_set_is_anonymous(set)) {
             set->flags |= NFT_SET_F_DEAD;
             /* ... */
         }

         /* ... */
}

Exploit Details

While the specific details for exploiting this vulnerability have not been published, a race condition such as this could potentially allow an attacker to cause a denial of service or execute arbitrary code on an affected system. It is essential to apply the latest kernel updates that contain the fix for CVE-2024-26643 to mitigate the risk of an attack.

Conclusion

The resolution of CVE-2024-26643 in the Linux kernel highlights the importance of continually reviewing and updating software for security vulnerabilities and potential exploits. The developers behind the kernel, particularly those working on netfilter nf_tables, are doing essential work to keep Linux systems secure and stable. Upgrading to a kernel version containing the fix for this vulnerability is highly recommended for any Linux systems using netfilter nf_tables.

Timeline

Published on: 03/21/2024 11:15:28 UTC
Last modified on: 04/13/2024 12:15:11 UTC