CVE-2021-47394

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: unlink table before deleting it<br /> <br /> syzbot reports following UAF:<br /> BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955<br /> nla_strcmp+0xf2/0x130 lib/nlattr.c:836<br /> nft_table_lookup.part.0+0x1a2/0x460 net/netfilter/nf_tables_api.c:570<br /> nft_table_lookup net/netfilter/nf_tables_api.c:4064 [inline]<br /> nf_tables_getset+0x1b3/0x860 net/netfilter/nf_tables_api.c:4064<br /> nfnetlink_rcv_msg+0x659/0x13f0 net/netfilter/nfnetlink.c:285<br /> netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2504<br /> <br /> Problem is that all get operations are lockless, so the commit_mutex<br /> held by nft_rcv_nl_event() isn&amp;#39;t enough to stop a parallel GET request<br /> from doing read-accesses to the table object even after synchronize_rcu().<br /> <br /> To avoid this, unlink the table first and store the table objects in<br /> on-stack scratch space.