Linux Kernel Netfilter nft_set_pipapo Out-of-Bounds Stack Read Vulnerability

A stack out-of-bounds read vulnerability has been identified in the Linux kernel's netfilter component, specifically within the nft_set_pipapo functionality. This issue arises because the pipapo_drop() function incorrectly passes a value that references an element beyond the end of a stack-allocated array. The vulnerability has been confirmed using the Kernel Address Sanitizer (KASAN), which reported a stack-out-of-bounds read error. The problem occurs in versions of the Linux kernel where NFT_PIPAPO_MAX_FIELDS is set to 16.

Impact

Exploitation of this vulnerability leads to a stack out-of-bounds read, which can potentially be exploited to read sensitive data from the stack or cause a denial-of-service condition by crashing the system.

Reproduction

To reproduce this vulnerability, use a version of the Linux kernel that has NFT_PIPAPO_MAX_FIELDS set to 16. Create a netfilter rule that utilizes the pipapo set type, ensuring that the rulemap array is populated. When the pipapo_drop() function is called, it will read past the end of the rulemap array, triggering the out-of-bounds read. This can be verified by monitoring for KASAN stack-out-of-bounds read errors.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is available in the Linux kernel stable tree.