Linux Kernel Netfilter Nftables Overlap Expiration Handling Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nftables subsystem, has been addressed. This issue relates to the management of interval-based data in red-black tree (RBT) structures. The vulnerability arises because the garbage collection process, which is supposed to remove expired entries, fails to properly handle the entire duration of certain intervals. This flaw can lead to incorrect overlap detection when intervals are processed. The issue can be reproduced using a specific test case from the nftables Git repository, along with a kernel configuration that enables memory leak tracking.

Impact

The vulnerability could cause incorrect handling of timed intervals, potentially leading to memory management issues such as leaks or corruption.

Reproduction

The vulnerability can be reproduced with the nftables test case located in 'tests/shell/testcases/sets/0044interval_overlap_0'. This test case should be run in a Linux kernel with memory leak tracking (kmemleak) enabled.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux Kernel Archives.