1.3 KiB
CVE-2024-26643
Description
In the Linux kernel, the following vulnerability has been resolved:netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeoutWhile the rhashtable set gc runs asynchronously, a race allows it tocollect elements from anonymous sets with timeouts while it is beingreleased from the commit path.Mingi Cho originally reported this issue in a different path in 6.1.xwith a pipapo set with low timeouts which is not possible upstream since7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for setelement timeout").Fix this by setting on the dead flag for anonymous sets to skip async gcin this case.According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead ontransaction abort"), Florian plans to accelerate abort path by releasingobjects via workqueue, therefore, this sets on the dead flag for abortpath too.
POC
Reference
No PoCs from references.