CVE-2023-52924

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: don&amp;#39;t skip expired elements during walk<br /> <br /> There is an asymmetry between commit/abort and preparation phase if the<br /> following conditions are met:<br /> <br /> 1. set is a verdict map ("1.2.3.4 : jump foo")<br /> 2. timeouts are enabled<br /> <br /> In this case, following sequence is problematic:<br /> <br /> 1. element E in set S refers to chain C<br /> 2. userspace requests removal of set S<br /> 3. kernel does a set walk to decrement chain-&gt;use count for all elements<br /> from preparation phase<br /> 4. kernel does another set walk to remove elements from the commit phase<br /> (or another walk to do a chain-&gt;use increment for all elements from<br /> abort phase)<br /> <br /> If E has already expired in 1), it will be ignored during list walk, so its use count<br /> won&amp;#39;t have been changed.<br /> <br /> Then, when set is culled, -&gt;destroy callback will zap the element via<br /> nf_tables_set_elem_destroy(), but this function is only safe for<br /> elements that have been deactivated earlier from the preparation phase:<br /> lack of earlier deactivate removes the element but leaks the chain use<br /> count, which results in a WARN splat when the chain gets removed later,<br /> plus a leak of the nft_chain structure.<br /> <br /> Update pipapo_get() not to skip expired elements, otherwise flush<br /> command reports bogus ENOENT errors.