Linux Kernel Netfilter AVX2 Matching Function Vulnerability

A vulnerability in the Linux kernel's netfilter component, specifically within the AVX2 matching functions for pipapo sets, has been identified. This issue arises when a set is reloaded after being flushed, leading to incorrect handling of matching entries. The AVX2 functions fail to properly account for all fields, causing non-matching entries to be erroneously returned. This problem does not occur with the generic C implementation or when using a fallback method. The vulnerability was introduced by a commit that altered range overlap detection, revealing an existing flaw in the AVX2 match processing.

Impact

The vulnerability causes the AVX2 matching functions to incorrectly return non-matching entries, which can lead to erroneous set operations and potentially disrupt network filtering rules.

Reproduction

To reproduce this vulnerability, first load a randomly generated pipapo set with the 'ipv4 . port' key using the nft command. After the set is successfully loaded, flush the set and attempt to reload it. With the AVX2 matching functions, nft will report a clashing element, indicating that the reloaded set is not being processed correctly. This issue can be observed by comparing the behavior of the AVX2 functions to the generic C implementation, which does not exhibit the same flaw.

Remediation

Users can avoid this vulnerability by not using the AVX2 matching functions with pipapo sets in netfilter. Instead, rely on the generic C implementation or the 'nft_pipapo_avx2_lookup_slow' fallback, which does not have this issue.