In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate() nft_map_catchall_activate() has an inverted element activity check compared to its non-catchall counterpart nft_mapelem_activate() and compared to what is logically required. nft_map_catchall_activate() is called from the abort path to re-activate catchall map elements that were deactivated during a failed transaction. It should skip elements that are already active (they don't need re-activation) and process elements that are inactive (they need to be restored). Instead, the current code does the opposite: it skips inactive elements and processes active ones. Compare the non-catchall activate callback, which is correct: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* skip active, process inactive */ With the buggy catchall version: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* skip inactive, process active */ The consequence is that when a DELSET operation is aborted, nft_setelem_data_activate() is never called for the catchall element. For NFT_GOTO verdict elements, this means nft_data_hold() is never called to restore the chain->use reference count. Each abort cycle permanently decrements chain->use. Once chain->use reaches zero, DELCHAIN succeeds and frees the chain while catchall verdict elements still reference it, resulting in a use-after-free. This is exploitable for local privilege escalation from an unprivileged user via user namespaces + nftables on distributions that enable CONFIG_USER_NS and CONFIG_NF_TABLES. Fix by removing the negation so the check matches nft_mapelem_activate(): skip active elements, process inactive ones.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: netfilter: nf_tables: corrección de la comprobación genmask invertida en nft_map_catchall_activate() nft_map_catchall_activate() tiene una comprobación de actividad de elemento invertida en comparación con su contraparte no-catchall nft_mapelem_activate() y en comparación con lo que se requiere lógicamente. nft_map_catchall_activate() es llamada desde la ruta de aborto para reactivar elementos de mapa catchall que fueron desactivados durante una transacción fallida. Debería omitir los elementos que ya están activos (no necesitan reactivación) y procesar los elementos que están inactivos (necesitan ser restaurados). En cambio, el código actual hace lo contrario: omite los elementos inactivos y procesa los activos. Compare la devolución de llamada de activación no-catchall, que es correcta: nft_mapelem_activate(): if (nft_set_elem_active(ext, iter->genmask)) return 0; /* omitir activos, procesar inactivos */ Con la versión catchall con errores: nft_map_catchall_activate(): if (!nft_set_elem_active(ext, genmask)) continue; /* omitir inactivos, procesar activos */ La consecuencia es que cuando una operación DELSET es abortada, nft_setelem_data_activate() nunca es llamada para el elemento catchall. Para los elementos de veredicto NFT_GOTO, esto significa que nft_data_hold() nunca es llamada para restaurar el contador de referencias chain->use. Cada ciclo de aborto decrementa permanentemente chain->use. Una vez que chain->use llega a cero, DELCHAIN tiene éxito y libera la cadena mientras que los elementos de veredicto catchall aún la referencian, resultando en un uso después de liberación. Esto es explotable para escalada de privilegios local desde un usuario sin privilegios a través de espacios de nombres de usuario + nftables en distribuciones que habilitan CONFIG_USER_NS y CONFIG_NF_TABLES. Corrección eliminando la negación para que la comprobación coincida con nft_mapelem_activate(): omitir elementos activos, procesar inactivos.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-416
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76027f6a40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f7638069340> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f7602737740> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f7638069d80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76027f7140> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76027f5080> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f7602736e00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76027f7c00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x7f76027f63c0> | Operating System |
| linux | linux_kernel | 6.4 | <built-in method update of dict object at 0x7f76027f4bc0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f76027f6500> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f7638068180> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f763819f200> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f763806be80> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f76011c17c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f76027f4c40> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f76011c2e80> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x7f7638069e80> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.4:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |