Linux Kernel Netfilter Conntrack Uninitialized Memory Vulnerability Leading to Crash

A vulnerability in the Linux kernel's netfilter component, specifically within the connection tracking (conntrack) system, has been identified. This issue arises from the improper handling of connection tracking entries, which can lead to a system crash. The problem occurs when an uninitialized conntrack entry is removed from the hash bucket list, causing a reference count mismatch and ultimately a crash. The vulnerability is rooted in a race condition where a conntrack entry is prematurely deleted and then reinitialized, creating a scenario where the entry is incorrectly managed, particularly in relation to its status and hash table integration.

Impact

Exploitation of this vulnerability causes a system crash due to a null pointer dereference. The crash occurs when the connection tracking system attempts to delete an entry from the hash table, but the entry is in a corrupted state, leading to a failure in the expected reference counting and memory management.

Reproduction

The vulnerability can be reproduced by creating a race condition between multiple CPU cores. This involves having one CPU delete a conntrack entry while another CPU is in the process of reinitializing it. The entry, now in an uninitialized state, is then incorrectly managed when a third CPU attempts to process it, leading to a crash.

Remediation

The vulnerability has been addressed in the official Linux kernel repository. Users should upgrade to the latest version where this issue has been fixed.