Linux Kernel Netfilter nf_tables Memory Allocation Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the nf_tables API, has been addressed. This issue arose when the nf_tables subsystem was instructed to flush a set, leading to a memory allocation failure. The problem was triggered by syzbot, a fuzzing tool, which injected faults that caused the allocation to fail under normal kernel operations. The failure generated a warning message indicating an error in the nf_tables API, specifically during the deactivation of a map, which is a critical part of the netfilter's set management. The vulnerability was linked to the way set cloning was handled during flush operations, particularly with certain set backends.

Impact

Exploitation of this vulnerability could lead to a denial-of-service condition, where the kernel fails to properly manage netfilter sets, potentially causing disruptions in network traffic control or filtering operations.

Reproduction

The vulnerability can be reproduced by using the syzkaller fuzzing tool, which can inject faults into the kernel's memory allocation processes. This injection can trigger the warning splat observed in the original vulnerability report, indicating a failed memory allocation with the GFP_KERNEL flag.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can typically be found in the documentation for the specific Linux distribution in use.