CVE-2022-48935 in Linux
Summary
by MITRE • 08/22/2024
In the Linux kernel, the following vulnerability has been resolved:
netfilter: nf_tables: unregister flowtable hooks on netns exit
Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF.
BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666
CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
__dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline]
__kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652
nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652
__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/30/2024
The vulnerability described in CVE-2022-48935 represents a critical use-after-free condition within the Linux kernel's netfilter subsystem, specifically affecting the nf_tables framework. This issue occurs during the cleanup process of flowtable hooks when a network namespace is exiting, creating a scenario where memory is accessed after it has been freed, potentially leading to system instability or privilege escalation. The vulnerability manifests through KASAN (Kernel Address Sanitizer) reporting a use-after-free error in the nf_hook_entries_grow function, which is part of the core netfilter infrastructure responsible for managing packet filtering hooks. The flaw is particularly dangerous because it involves the interaction between multiple kernel subsystems including netfilter, flowtable management, and network namespace handling.
The technical root cause stems from an improper ordering of operations during flowtable cleanup. When a network namespace is being destroyed, the kernel attempts to unregister flowtable hooks before fully releasing the associated resources. This sequence creates a window where hook entries may still be referenced by ongoing packet processing paths, even though the underlying memory structures have been freed. The specific call trace shows the execution path leading to the UAF condition through nf_hook_entries_grow, which is invoked during hook registration and subsequently during cleanup. This improper sequence violates fundamental memory safety principles and creates a classic race condition between resource cleanup and active usage. The vulnerability is classified under CWE-416 as Use After Free, which is a well-known category of memory safety issues that can lead to arbitrary code execution.
The operational impact of this vulnerability extends beyond simple system crashes, potentially enabling attackers to exploit the use-after-free condition for privilege escalation or denial of service attacks. Since the vulnerability occurs in kernel space, successful exploitation could allow malicious actors to gain elevated privileges or cause system-wide instability. The flaw is particularly concerning in environments where network namespaces are frequently created and destroyed, as the probability of triggering the race condition increases. Network filtering and firewall systems that rely heavily on nf_tables and flowtable functionality are at heightened risk, as these components are commonly used in security-critical deployments. The vulnerability demonstrates the complexity of managing reference counting and synchronization in kernel-level networking subsystems, where improper ordering of operations can have severe consequences.
Mitigation strategies for this vulnerability focus on ensuring proper resource cleanup ordering within the kernel's netfilter subsystem. The fix implemented in the patched kernel version addresses the issue by ensuring that flowtable hooks are properly unregistered before the flowtable resources are freed, thereby eliminating the race condition that leads to the use-after-free scenario. System administrators should prioritize applying the relevant kernel patches as soon as possible, particularly in production environments where network namespaces are actively used. Monitoring systems should be enhanced to detect potential exploitation attempts through unusual patterns in network namespace creation and destruction. The vulnerability also highlights the importance of kernel security testing and the value of automated tools like syzkaller in identifying such subtle memory safety issues. Organizations should also consider implementing additional network segmentation and access controls to limit the potential impact of any successful exploitation attempts, while maintaining comprehensive logging of network namespace operations for forensic analysis.