ghsa-hxw5-pvw5-67pp
Vulnerability from github
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: skip netdev events generated on netns removal
syzbot reported following (harmless) WARN:
WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468 nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline] nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline] __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524 nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline] nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382
reproducer: unshare -n bash -c 'ip link add br0 type bridge; nft add table netdev t ; \ nft add chain netdev t ingress { type filter hook ingress device "br0" \ priority 0\; policy drop\; }'
Problem is that when netns device exit hooks create the UNREGISTER event, the .pre_exit hook for nf_tables core has already removed the base hook. Notifier attempts to do this again.
The need to do base hook unregister unconditionally was needed in the past, because notifier was last stage where reg->dev dereference was safe.
Now that nf_tables does the hook removal in .pre_exit, this isn't needed anymore.
{ "affected": [], "aliases": [ "CVE-2021-47452" ], "database_specific": { "cwe_ids": [], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2024-05-22T07:15:10Z", "severity": null }, "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: skip netdev events generated on netns removal\n\nsyzbot reported following (harmless) WARN:\n\n WARNING: CPU: 1 PID: 2648 at net/netfilter/core.c:468\n nft_netdev_unregister_hooks net/netfilter/nf_tables_api.c:230 [inline]\n nf_tables_unregister_hook include/net/netfilter/nf_tables.h:1090 [inline]\n __nft_release_basechain+0x138/0x640 net/netfilter/nf_tables_api.c:9524\n nft_netdev_event net/netfilter/nft_chain_filter.c:351 [inline]\n nf_tables_netdev_event+0x521/0x8a0 net/netfilter/nft_chain_filter.c:382\n\nreproducer:\nunshare -n bash -c \u0027ip link add br0 type bridge; nft add table netdev t ; \\\n nft add chain netdev t ingress \\{ type filter hook ingress device \"br0\" \\\n priority 0\\; policy drop\\; \\}\u0027\n\nProblem is that when netns device exit hooks create the UNREGISTER\nevent, the .pre_exit hook for nf_tables core has already removed the\nbase hook. Notifier attempts to do this again.\n\nThe need to do base hook unregister unconditionally was needed in the past,\nbecause notifier was last stage where reg-\u003edev dereference was safe.\n\nNow that nf_tables does the hook removal in .pre_exit, this isn\u0027t\nneeded anymore.", "id": "GHSA-hxw5-pvw5-67pp", "modified": "2024-05-22T09:31:45Z", "published": "2024-05-22T09:31:45Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47452" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/68a3765c659f809dcaac20030853a054646eb739" }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/90c7c58aa2bd02c65a4c63b7dfe0b16eab12cf9f" } ], "schema_version": "1.4.0", "severity": [] }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.