CVE-2023-54200

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: always release netdev hooks from notifier<br /> <br /> This reverts "netfilter: nf_tables: skip netdev events generated on netns removal".<br /> <br /> The problem is that when a veth device is released, the veth release<br /> callback will also queue the peer netns device for removal.<br /> <br /> Its possible that the peer netns is also slated for removal. In this<br /> case, the device memory is already released before the pre_exit hook of<br /> the peer netns runs:<br /> <br /> BUG: KASAN: slab-use-after-free in nf_hook_entry_head+0x1b8/0x1d0<br /> Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45<br /> Workqueue: netns cleanup_net<br /> Call Trace:<br /> nf_hook_entry_head+0x1b8/0x1d0<br /> __nf_unregister_net_hook+0x76/0x510<br /> nft_netdev_unregister_hooks+0xa0/0x220<br /> __nft_release_hook+0x184/0x490<br /> nf_tables_pre_exit_net+0x12f/0x1b0<br /> ..<br /> <br /> Order is:<br /> 1. First netns is released, veth_dellink() queues peer netns device<br /> for removal<br /> 2. peer netns is queued for removal<br /> 3. peer netns device is released, unreg event is triggered<br /> 4. unreg event is ignored because netns is going down<br /> 5. pre_exit hook calls nft_netdev_unregister_hooks but device memory<br /> might be free&amp;#39;d already.