Total vulnerabilities in the database
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout
While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path.
Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout").
Fix this by setting on the dead flag for anonymous sets to skip async gc in this case.
According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too.
| Software | From | Fixed in |
|---|---|---|
| linux / linux_kernel | - | 5.4.274 |
| linux / linux_kernel | 5.5 | 5.10.215 |
| linux / linux_kernel | 6.2 | 6.6.24 |
| linux / linux_kernel | 6.7 | 6.7.12 |
| linux / linux_kernel | 5.11 | 5.15.154 |
| linux / linux_kernel | 5.16 | 6.1.84 |
| debian / debian_linux | 10.0 | 10.0.x |