Linux Kernel Netfilter nfnetlink_cthelper Out-of-Bounds Read Vulnerability

A vulnerability allowing an out-of-bounds read has been identified in the Linux kernel's netfilter component, specifically within the nfnetlink_cthelper module. This issue arises in the nfnl_cthelper_dump_table() function, where a 'goto restart' statement improperly jumps to a label inside the loop body. When the 'last' helper saved in cb->args[1] is deleted between dump rounds, the loop fails to clear cb->args[1]', leading to an out-of-bounds read on nf_ct_helper_hash. The vulnerability has been addressed by repositioning the 'goto restart' block to ensure it only activates while within safe bounds.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds read, where 8 bytes are read from memory outside the allocated bounds, potentially leading to information disclosure or memory corruption.

Reproduction

The vulnerability can be reproduced by invoking the nfnl_cthelper_dump_table() function in a scenario where the 'last' helper is deleted between dump rounds. This can be achieved by manually removing the 'last' helper while the function is in the process of dumping, causing cb->args[1] to remain uncleared and allowing the function to read out-of-bounds.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.