Linux Kernel Netfilter Null Pointer Dereference Vulnerability in RBTree Element Insertion

A null pointer dereference vulnerability has been identified in the Linux kernel's netfilter component, specifically within the RBTree element insertion process. This issue arises because the function 'rb_prev()' can return NULL, leading to a general protection fault. The vulnerability is associated with non-canonical addresses, causing a null pointer dereference error. Additionally, there is a potential use-after-free vulnerability when iterating through nodes, as a 'node' can be freed, necessitating the caching of the next value for continued iteration.

Impact

Exploitation of this vulnerability leads to a null pointer dereference, causing a general protection fault. This is typically a precursor to a use-after-free vulnerability, which can be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by inserting elements into a netfilter RBTree set while the garbage collection process is active. The 'nft_rbtree_gc_elem' function does not properly handle the case where 'rb_prev' returns NULL, allowing for a null pointer dereference. This can be triggered by manipulating the timing of element insertion and garbage collection, such as by rapidly adding and removing elements from the set.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.