CVE-2024-46855 - Linux Kernel netfilter nft_socket Reference Leak—Explained

On June 4, 2024, a critical vulnerability "CVE-2024-46855" was disclosed and patched in the Linux kernel. This bug affects netfilter's nft_socket module, specifically related to socket reference counting, and could lead to resource leaks—a foundational issue for reliability and security. In this post, we’ll break down the vulnerability using easy language, show what went wrong in the code, link to references, and discuss potential exploit scenarios.

What is netfilter and nft_socket?

netfilter is a core Linux kernel framework for firewalling, NAT, and packet mangling. nft_socket is a netfilter module that enriches filtering with socket awareness—helping users write complex rules.

What’s the Problem? (The Vulnerability)

The kernel bug boils down to a missing “put” call on a socket ("sk") reference before returning. If kernel code gets a reference to a socket, it must “put” the reference (let go of it) when done. Otherwise, it will “leak” — the memory and resources held by the socket will never be released, even if they’re no longer needed.

Imagine you grab a book from the library and if you forget to return it, the library eventually runs out of books. The kernel running out of socket references can lead to system instability or even a kernel panic.

The Bad Code (Snipplet)

Before the fix, the function nft_socket_get_sk would return early but forget to drop the reference to the socket:

struct sock *sk = nft_socket_lookup(...);
if (!sk)
    return NULL;
// ... some code ...
if (some_error)
    return NULL;  // <-- Leak! sk should be put here
return sk;

Any exit path that didn’t call sock_put(sk); would leak the socket reference.

The fix wraps up all exit paths to properly put the socket reference

struct sock *sk = nft_socket_lookup(...);
if (!sk)
    return NULL;
// ... some code ...
if (some_error) {
    sock_put(sk);  // Proper cleanup!
    return NULL;
}
return sk;

See the official commit here:
netfilter: nft_socket: fix sk refcount leaks

How Could an Attacker Exploit This?

Potential Denial of Service (DoS):
If attackers can trigger these code paths repeatedly—say, by crafting network packets or rules—they could leak “sk” references over and over. Eventually, new sockets fail to be created, or the system becomes unstable, leading to:

Possible kernel panic (full crash)

While there’s no direct “get root” in this bug, any local user able to exercise netfilter rules could potentially hang or wreck networking on the system.

How To Fix Your System

Upgrade your kernel! This patch has landed in the official kernel’s stable tree.

Check your distro for security advisories, for instance

- Red Hat Bugzilla 2291181
- Debian Security Tracker

Find out your current kernel version by running:

uname -r

References

- Kernel.org CVE-2024-46855 Patch Diff
- CVE Details - CVE-2024-46855
- Red Hat Bugzilla 2291181

The fix is available—update your kernel and you’re safe.

Stay current with patches, and if you write kernel code, always mind reference counts and cleanup!

Timeline

Published on: 09/27/2024 13:15:17 UTC
Last modified on: 10/02/2024 13:21:28 UTC