CVE-2023-52925

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_tables: don&amp;#39;t fail inserts if duplicate has expired<br /> <br /> nftables selftests fail:<br /> run-tests.sh testcases/sets/0044interval_overlap_0<br /> Expected: 0-2 . 0-3, got:<br /> W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1<br /> <br /> Insertion must ignore duplicate but expired entries.<br /> <br /> Moreover, there is a strange asymmetry in nft_pipapo_activate:<br /> <br /> It refetches the current element, whereas the other -&gt;activate callbacks<br /> (bitmap, hash, rhash, rbtree) use elem-&gt;priv.<br /> Same for .remove: other set implementations take elem-&gt;priv,<br /> nft_pipapo_remove fetches elem-&gt;priv, then does a relookup,<br /> remove this.<br /> <br /> I suspect this was the reason for the change that prompted the<br /> removal of the expired check in pipapo_get() in the first place,<br /> but skipping exired elements there makes no sense to me, this helper<br /> is used for normal get requests, insertions (duplicate check)<br /> and deactivate callback.<br /> <br /> In first two cases expired elements must be skipped.<br /> <br /> For -&gt;deactivate(), this gets called for DELSETELEM, so it<br /> seems to me that expired elements should be skipped as well, i.e.<br /> delete request should fail with -ENOENT error.