Linux Kernel Netfilter nf_tables Use-After-Free Vulnerability in Chain Management

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nf_tables subsystem. This issue arises in the nf_tables_addchain() function, which improperly manages the lifecycle of chain objects during the addition process. When nf_tables_register_hook() fails after a chain has been added to the table's chain list, the error handling routine removes the chain from the list and destroys it without allowing for a proper cleanup period. This mismanagement creates two distinct use-after-free scenarios: one in the control plane, where a concurrent chain dump can access a freed chain, and another in the packet path, where packets can still reference a chain that has been deallocated. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can be exploited to create use-after-free conditions, leading to potential memory corruption.

Reproduction

To reproduce this vulnerability, add a chain to an nf_tables table and then simulate a failure during the hook registration process. This will trigger the error path that removes and destroys the chain without a proper RCU grace period, creating a use-after-free condition. This can be done by manipulating the nf_tables_addchain() function to introduce a failure after the chain has been added but before the hooks are fully registered.

Remediation

The vulnerability has been addressed by adding a synchronize_rcu() call between nft_chain_del() and the chain destruction process. This ensures that all RCU readers have completed their operations before the chain is freed, preventing the use-after-free condition.