CVE-2024-26925 netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

2024-04-2421:49:23

Linux

www.cve.org

linux kernel

netfilter

nf_tables

mutex

async gc

transaction replay

AI Score

7.7

Confidence

High

EPSS

Percentile

10.3%

JSON

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/netfilter/nf_tables_api.c"
    ],
    "versions": [
      {
        "version": "4b6346dc1edf",
        "lessThan": "61ac7284346c",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "23292bdfda5f",
        "lessThan": "2cee2ff7f8cc",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "b44a459c6561",
        "lessThan": "eb769ff4e281",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "5d319f7a8143",
        "lessThan": "8d3a58af50e4",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "720344340fb9",
        "lessThan": "8038ee3c3e5b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "720344340fb9",
        "lessThan": "a34ba4bdeec0",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "720344340fb9",
        "lessThan": "0d459e2ffb54",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/netfilter/nf_tables_api.c"
    ],
    "versions": [
      {
        "version": "6.5",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.5",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.274",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.215",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.15.155",
        "lessThanOrEqual": "5.15.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.1.86",
        "lessThanOrEqual": "6.1.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.6.26",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.8.5",
        "lessThanOrEqual": "6.8.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.9",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]