Linux Kernel Netfilter Use-After-Free Vulnerability in Connection Tracking Timeout Handling

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the connection tracking (nft_ct) timeout management. This issue arises because the function responsible for destroying timeout objects (nft_ct_timeout_obj_destroy) frees the object without waiting for an RCU grace period. As a result, concurrent packet processing on other CPUs may still reference the freed object, leading to potential memory corruption. The vulnerability has been reported by KASAN (Kernel Address Sanitizer) as a slab-use-after-free error, indicating that the issue can be exploited to read freed memory, which could be manipulated to cause undefined behavior in the kernel.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, allowing for memory corruption by accessing freed memory. This type of vulnerability can often be exploited to execute arbitrary code or cause a denial-of-service by crashing the system.

Reproduction

The vulnerability can be reproduced by creating a scenario where connection tracking timeouts are managed without proper synchronization. This can be done by initiating packet processing that relies on RCU (Read-Copy-Update) while simultaneously modifying timeout objects, such as by removing or destroying them. The lack of an RCU grace period allows the packet processing to access references to the timeout objects even after they have been freed, triggering the use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The patch modifies the timeout object structure to include an RCU head, allowing the kernel to safely defer the memory deallocation until after all RCU-protected references have been released.