In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: split gc into unlink and reclaim phase Yiming Qian reports Use-after-free in the pipapo set type: Under a large number of expired elements, commit-time GC can run for a very long time in a non-preemptible context, triggering soft lockup warnings and RCU stall reports (local denial of service). We must split GC in an unlink and a reclaim phase. We cannot queue elements for freeing until pointers have been swapped. Expired elements are still exposed to both the packet path and userspace dumpers via the live copy of the data structure. call_rcu() does not protect us: dump operations or element lookups starting after call_rcu has fired can still observe the free'd element, unless the commit phase has made enough progress to swap the clone and live pointers before any new reader has picked up the old version. This a similar approach as done recently for the rbtree backend in commit 35f83a75529a ("netfilter: nft_set_rbtree: don't gc elements on insert").
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: netfilter: nft_set_pipapo: dividir la recolección de basura en una fase de desvinculación y una fase de recuperación Yiming Qian informa de un uso después de liberación en el tipo de conjunto pipapo: Bajo un gran número de elementos caducados, la recolección de basura en tiempo de commit puede ejecutarse durante mucho tiempo en un contexto no preemptivo, lo que desencadena advertencias de soft lockup e informes de bloqueo de RCU (denegación de servicio local). Debemos dividir la recolección de basura en una fase de desvinculación y una de recuperación. No podemos poner en cola elementos para su liberación hasta que los punteros hayan sido intercambiados. Los elementos caducados todavía están expuestos tanto a la ruta de paquetes como a los volcadores del espacio de usuario a través de la copia activa de la estructura de datos. call_rcu() no nos protege: las operaciones de volcado o las búsquedas de elementos que comienzan después de que call_rcu se haya activado aún pueden observar el elemento liberado, a menos que la fase de commit haya progresado lo suficiente como para intercambiar los punteros de clonación y activos antes de que cualquier nuevo lector haya tomado la versión antigua. Este es un enfoque similar al realizado recientemente para el backend rbtree en el commit 35f83a75529a ('netfilter: nft_set_rbtree: no recolectar elementos en la inserción').
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
Source: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Type: Secondary
Exploitability Score: 1.8
Impact Score: 5.9
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-416
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd12b500> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde166380> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd1281c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcc9b3300> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd12b680> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdc6a4680> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bde166f00> | Operating System |
| linux | linux_kernel | 5.6 | <built-in method update of dict object at 0x702bde164b40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702b70374b80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdd12a880> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdc9f6e80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bcc9b2e40> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bcc9b24c0> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bdcdbdd80> | Operating System |
| linux | linux_kernel | 7.0 | <built-in method update of dict object at 0x702bde167f80> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:5.6:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.0:rc7:*:*:*:*:*:* |