Linux Kernel Netfilter nf_set_pipapo Initial Map Fill Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically in the nf_set_pipapo function, has been addressed. The issue arose because the initial buffer was not properly initialized, leading to incorrect map fill operations. The buffer needed to be set to all-ones but should have been limited to the size of the first field rather than the total field size. This mismanagement allowed one-bit leaks into subsequent map search rounds, causing the pipapo function to produce incorrect matching results for sets where the first field size was smaller than the maximum buffer size. A follow-up patch has been made to the nft_concat_range.sh self-test script to add a test case for this issue.

Impact

The vulnerability could lead to incorrect matching results in the pipapo function, causing potential mismanagement of set operations within netfilter.