A critical security flaw has been discovered in the Linux kernel’s nftables subsystem, which is responsible for packet filtering in modern Linux distributions. This flaw, a double-free vulnerability, allows local attackers to escalate their privileges and execute arbitrary code.
Nftables serves as the successor to the legacy iptables framework, providing a unified interface for network packet filtering. It operates through components such as tables, sets, chains, and rules, utilizing a “Packet Processing Pipeline” for efficient rule matching. The flaw resides in the nft_set_pipapo implementation, specifically within the nft_pipapo_destroy() function.
When a set is marked as “dirty” (modified but not committed), the function attempts to destroy all its elements. However, an element may exist in both the match and clone structures simultaneously, leading to a double-free scenario when the set is destroyed, thereby corrupting memory and enabling potential exploitation.
Exploitation Mechanics of CVE-2024-26809
An attacker can exploit CVE-2024-26809 by performing the following steps:
- Create a pipapo set (Set A).
- Add elements (B and C) to Set A.
- Mark Set A as dirty by adding a third element (D).
- Delete Set A, triggering the nft_pipapo_destroy() function.
This sequence results in the double-free of elements B and C, allowing the attacker to manipulate the heap and potentially execute arbitrary code. The flaw arises because the nft_pipapo_destroy() function does not properly handle the destruction of elements in the match and clone structures when the set is dirty. This oversight leads to the double-free condition, which can be exploited to achieve privilege escalation.
Mitigation and Fixes
The Linux kernel development community has addressed the vulnerability by implementing several fixes:
- Ensuring that the cloning process always provides a current view of the lookup table.
- Integrating nft_set_pipapo into the commit protocol to prevent double-free occurrences.
- Releasing elements in the clone structure only from the destroy path.
These changes were introduced in commit 212ed75dc5fb, following the earlier commit 9827a0e6e23b, which addressed related issues. Users are advised to update their systems to kernel versions that include these fixes to mitigate the risk associated with this flaw.
Conclusion
This flaw highlights the importance of rigorous memory management in kernel development. The double-free vulnerability in the nftables subsystem highlights the potential security risks inherent in complex packet filtering mechanisms. System administrators and users are strongly encouraged to apply the necessary patches to protect against potential exploitation of this flaw.
