Linux Kernel Netfilter xt_IDLETIMER ALARM Timer Label Reuse Vulnerability

A vulnerability exists in the Linux kernel's netfilter module, specifically within the xt_IDLETIMER component. This issue arises in IDLETIMER revision 0, where rules can improperly reuse existing timers by label. When a label is first created in revision 1 with XT_IDLETIMER_ALARM, it adopts alarm timer semantics, leaving the associated timer_list uninitialized. Reusing this object in revision 0 triggers a call to mod_timer() on the uninitialized timer_list, which can cause debug object warnings and potentially lead to a system panic if panic_on_warn is set to 1. The vulnerability has been addressed by modifying the rule insertion process to reject revision 0 rules that attempt to reuse a label associated with an ALARM type timer.

Impact

Exploiting this vulnerability can cause warnings from the debug object system and may lead to a system panic when panic_on_warn is enabled.

Reproduction

To reproduce this vulnerability, create a timer label using IDLETIMER revision 1 with the XT_IDLETIMER_ALARM option. Then, attempt to reuse the same label in a revision 0 rule. The process will trigger a call to mod_timer() on an uninitialized timer_list, causing debug object warnings and a possible system panic if panic_on_warn is set to 1.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.