CVE-2024-56638

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nft_inner: incorrect percpu area handling under softirq<br /> <br /> Softirq can interrupt ongoing packet from process context that is<br /> walking over the percpu area that contains inner header offsets.<br /> <br /> Disable bh and perform three checks before restoring the percpu inner<br /> header offsets to validate that the percpu area is valid for this<br /> skbuff:<br /> <br /> 1) If the NFT_PKTINFO_INNER_FULL flag is set on, then this skbuff<br /> has already been parsed before for inner header fetching to<br /> register.<br /> <br /> 2) Validate that the percpu area refers to this skbuff using the<br /> skbuff pointer as a cookie. If there is a cookie mismatch, then<br /> this skbuff needs to be parsed again.<br /> <br /> 3) Finally, validate if the percpu area refers to this tunnel type.<br /> <br /> Only after these three checks the percpu area is restored to a on-stack<br /> copy and bh is enabled again.<br /> <br /> After inner header fetching, the on-stack copy is stored back to the<br /> percpu area.