Linux Kernel Netfilter nf_conntrack_helper Expectation Management Use-After-Free Vulnerability

A use-after-free vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nf_conntrack_helper management. The issue arises when the nf_conntrack_helper_unregister() function is called to remove expectations associated with a helper. The function incorrectly passes NULL instead of the actual helper pointer, causing the expectation cleanup process to fail. As a result, expectations remain intact even after the helper object has been freed, leading to a use-after-free condition. This vulnerability allows for the dereferencing of a freed memory address, which can be exploited to cause memory corruption or potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to a use-after-free condition, where dereferencing a freed memory address can cause memory corruption. This type of vulnerability is commonly exploited to execute arbitrary code or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, unregister a netfilter connection tracking helper using the nf_conntrack_helper_unregister() function. The function will pass NULL as the data argument, instead of the helper pointer, which will cause expectations to survive the cleanup process. After the helper is unregistered, the nfnl_cthelper_del() function will free the helper object. Subsequent operations that access the exp->helper will dereference the freed memory, creating a use-after-free condition. This can be observed by dumping expectations or calling init_conntrack() with packet-driven processing, which will trigger the vulnerability.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version where this issue has been addressed.