Linux Kernel Netfilter ARP Protocol Vulnerability in x_tables Extension Handling

A vulnerability exists in the Linux kernel's netfilter component, specifically within the x_tables extension handling for the ARP protocol. This issue arises because match and target structures registered with NFPROTO_UNSPEC can be accessed by any protocol family through nft_compat. When these structures specify which hooks to use, they incorrectly apply NF_INET_* constants, which only align with protocols like IPv4, IPv6, INET, and bridge. In contrast, ARP has a different hook structure, leading to a validation bypass that allows improper matches on ARP chains. This flaw can cause NULL pointer dereferences, exemplified by the xt_devgroup match, resulting in a kernel panic.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a crash.

Reproduction

The vulnerability can be reproduced by loading xt_match or xt_target structures with NFPROTO_UNSPEC into an ARP chain using nft_compat. The .hooks validation will incorrectly allow this, as NF_ARP_OUT is treated the same as NF_INET_LOCAL_IN, creating a mismatch with ARP's actual hook semantics. This can be done by creating a match or target that uses NFPROTO_UNSPEC and applies it to an ARP chain, where the hook assumptions will not hold, leading to a NULL pointer dereference.

Remediation

The vulnerability has been addressed by restricting arptables to NFPROTO_ARP extensions only. Users should ensure they are using a version of the Linux kernel that includes this fix.