Linux Kernel Netfilter xt_nfacct Null-Termination Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the xt_nfacct match, has been addressed. This issue stemmed from an incorrect assumption that accounting names were null-terminated, leading to a slab-out-of-bounds error. The vulnerability was triggered when the nfacct_mt_checkentry function processed non-null input without proper validation, causing a read error in the vsnprintf function. The flaw was identified by a syzkaller fuzzer, which reported the issue as a bug.

Impact

The vulnerability could lead to a heap-based buffer overflow, allowing for potential arbitrary code execution or other memory corruption issues.

Reproduction

The vulnerability can be reproduced by using the netfilter xt_nfacct match with an accounting name that is not properly null-terminated. This can be done by manually crafting a packet or using a tool that allows for the manipulation of packet data to include an improperly formatted accounting name. The issue will manifest as a slab-out-of-bounds error, which can be observed in the kernel logs.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading can be found in the official Linux kernel documentation.