Linux Kernel Netfilter ipset Memory Allocation Vulnerability

A vulnerability in the Linux kernel's netfilter ipset subsystem allows the same network to be added multiple times with different interfaces, potentially leading to excessive memory usage or allocation failures. This issue was reported by Daniel Xu and affects the hash:net,iface type of ipset.

Impact

Exploitation of this vulnerability can cause significant memory allocation issues, leading to allocation failures and potential denial of service.

Reproduction

The vulnerability can be reproduced by creating an ipset of type hash:net,iface and then adding the network 0.0.0.0/0 with different interface labels multiple times. This process can be automated with a loop to add the network over 100 times, which will result in a vmalloc error due to the excessive memory request.

Remediation

The vulnerability has been addressed by enforcing the documented limit that restricts the same network prefix from being stored with more than 64 different interfaces in a single hash:net,iface set.