CVE-2024-27012

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: restore set elements when delete set fails<br /> <br /> From abort path, nft_mapelem_activate() needs to restore refcounters to<br /> the original state. Currently, it uses the set-&gt;ops-&gt;walk() to iterate<br /> over these set elements. The existing set iterator skips inactive<br /> elements in the next generation, this does not work from the abort path<br /> to restore the original state since it has to skip active elements<br /> instead (not inactive ones).<br /> <br /> This patch moves the check for inactive elements to the set iterator<br /> callback, then it reverses the logic for the .activate case which<br /> needs to skip active elements.<br /> <br /> Toggle next generation bit for elements when delete set command is<br /> invoked and call nft_clear() from .activate (abort) path to restore the<br /> next generation bit.<br /> <br /> The splat below shows an object in mappings memleak:<br /> <br /> [43929.457523] ------------[ cut here ]------------<br /> [43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]<br /> [...]<br /> [43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]<br /> [43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90<br /> [43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246<br /> [43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000<br /> [43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550<br /> [43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f<br /> [43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0<br /> [43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002<br /> [43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000<br /> [43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0<br /> [43929.458114] Call Trace:<br /> [43929.458118] <br /> [43929.458121] ? __warn+0x9f/0x1a0<br /> [43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]<br /> [43929.458188] ? report_bug+0x1b1/0x1e0<br /> [43929.458196] ? handle_bug+0x3c/0x70<br /> [43929.458200] ? exc_invalid_op+0x17/0x40<br /> [43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]<br /> [43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]<br /> [43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]<br /> [43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]<br /> [43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]<br /> [43929.458512] ? rb_insert_color+0x2e/0x280<br /> [43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]<br /> [43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]<br /> [43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]<br /> [43929.458701] ? __rcu_read_unlock+0x46/0x70<br /> [43929.458709] nft_delset+0xff/0x110 [nf_tables]<br /> [43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]<br /> [43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]