Linux Kernel Netfilter Nft Set Pipapo Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nft_set_pipapo set type. This issue arises when a large number of elements expire, causing the garbage collection (GC) process to run for an extended period in a non-preemptible context. This can trigger soft lockup warnings and RCU stall reports, leading to a local denial-of-service condition. The vulnerability allows expired elements to remain accessible via the live data structure copy, potentially causing inconsistencies during packet processing or when userspace dumpers access the data. The problem is exacerbated by the fact that the call_rcu() function does not provide adequate protection, as elements freed can still be observed by new readers unless the GC process has sufficiently progressed to update the pointers before the old version is accessed.

Impact

Exploitation of this vulnerability can cause a local denial-of-service condition, characterized by soft lockup warnings and RCU stall reports.

Reproduction

The vulnerability can be reproduced by creating a netfilter nftables set of type 'pipapo' and allowing a significant number of elements to expire. During the subsequent garbage collection phase, the kernel can enter a non-preemptible state, leading to soft lockup warnings and RCU stall reports.

Remediation

Users can upgrade to the patched version of the Linux kernel where this vulnerability has been addressed. The specific commit containing the fix is 16f3595c0441d87dfa005c47d8f95be213afaa9e.