Hi, I am experiencing kernel crashes on AlmaLinux 8 caused by an unassigned CVE in the Linux kernel related to a double-free/Use-After-Free vulnerability. ] After analyzing the vmcore crash dump, I discovered that the AlmaLinux kernel contains changes introduced by commit f6c383b8c31a but is not patched with the fix provided in commit 7ffc7481153bbabf3332c6a19b289730c7e1edf5. According to this discussion, the issue was introduced by commit: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") and subsequently resolved by commit: 7ffc7481153bbabf3332c6a19b289730c7e1edf5 ("netfilter: nft_set_hash: skip duplicated elements pending gc") See what they are saying in mailing list: https://lore.kernel.org/netdev/20241205002854.162490-3-pablo@netfilter.org/T... The root cause is described as follows:
6) Fix possible double-free in nft_hash garbage collector due to unstable walk interator that can provide twice the same element. Use a sequence number to skip expired/dead elements that have been already scheduled for removal. Based on patch from Laurent Fasnach
This unpatched vulnerability in the AlmaLinux 8 kernel results in potential Denial-of-Service (DoS) or crashes, especially when the server utilizes nftables+dynset firewall rules. It also provides a vector for privilege escalation (LPE) when user namespaces are enabled. The relevant crash dump from my system is shown below: ``` ------------[ cut here ]------------ kernel BUG at mm/slub.c:380! invalid opcode: 0000 [#1] SMP PTI CPU: 13 PID: 3660872 Comm: goiptrace Kdump: loaded Tainted: G W X -------- - - 4.18.0-553.27.1.el8_10.x86_64 #1 Hardware name: XXX RIP: 0010:__slab_free+0x19b/0x330 Code: 1f 44 00 00 eb 9c 41 f7 46 08 00 0d 21 00 0f 85 16 ff ff ff 4d 85 ed 0f 85 0d ff ff ff 80 4c 24 5b 80 45 31 ff e9 57 ff ff ff <0f> 0b 49 3b 54 24 28 75 c4 49 89 5c 24 20 49 89 4c 24 28 49 0f ba RSP: 0000:ffffaf87867bcd90 EFLAGS: 00010246 RAX: ffff99c6a85a13e0 RBX: ffff99c6a85a1380 RCX: ffff99c6a85a1380 RDX: 00000000002a001c RSI: ffffd55c47a16800 RDI: ffff99c5c0004e00 RBP: ffffaf87867bce30 R08: 0000000000000001 R09: ffffffffc0783137 R10: ffff99c6a85a1380 R11: 0000000000000029 R12: ffffd55c47a16800 R13: ffff99c6a85a1380 R14: ffff99c5c0004e00 R15: 0000000000000001 FS: 000000c000284c90(0000) GS:ffff99e4ffb40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00001931ccf4e000 CR3: 0000000ae9b46006 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> ? __die_body+0x1a/0x60 ? die+0x2a/0x50 ? do_trap+0xe7/0x110 ? __slab_free+0x19b/0x330 ? do_invalid_op+0x36/0x40 ? __slab_free+0x19b/0x330 ? invalid_op+0x14/0x20 ? nft_trans_gc_trans_free+0x97/0xd0 [nf_tables] ? __slab_free+0x19b/0x330 ? __unfreeze_partials+0x15b/0x1a0 ? __update_load_avg_cfs_rq+0x27a/0x300 ? nft_trans_gc_trans_free+0x97/0xd0 [nf_tables] kfree+0x22e/0x250 nft_trans_gc_trans_free+0x97/0xd0 [nf_tables] rcu_do_batch+0x1c5/0x4b0 rcu_core+0x14c/0x210 __do_softirq+0xdc/0x2cf irq_exit_rcu+0xc6/0xd0 irq_exit+0xa/0x10 smp_apic_timer_interrupt+0x74/0x130 apic_timer_interrupt+0xf/0x20 </IRQ> RIP: 0033:0x4231b2 Code: 23 4c 89 44 24 38 e8 cd 42 ff ff 48 85 f6 0f 84 a0 00 00 00 48 8b 94 24 88 00 00 00 49 89 f1 48 8b 74 24 48 4d 89 c8 4d 8b 09 <49> 29 d0 4d 85 c9 74 b0 4d 89 ca 49 29 d1 4c 39 ce 77 a5 4c 89 44 RSP: 002b:000000c000199e90 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13 RAX: 000000c002f19400 RBX: 0000000000000280 RCX: 294a529000000000 RDX: 000000c002f19200 RSI: 0000000000000480 RDI: 0000000000000040 RBP: 000000c000199f08 R08: 000000c002f19510 R09: 000000c000b1c690 R10: 00007fab2c7b1cfe R11: 00000000000002f8 R12: 0000000000000002 R13: 000000000000000b R14: 000000c0002a09c0 R15: 0000000000000001 Modules linked in: nbd rbd libceph binfmt_misc rpcsec_gss_krb5 nfsv4 dns_resolver nfs lockd grace fscache mptcp_diag tcp_diag udp_diag raw_diag inet_diag unix_diag xt_multiport xt_TPROXY nf_tproxy_ipv6 nf_tproxy_ipv4 cls_bpf sch_ingress vxlan ip6_udp_tunnel udp_tunnel veth xt_CT xt_socket nf_socket_ipv4 nf_socket_ipv6 ip6table_filter ip6table_raw ip6table_mangle ip6_tables iptable_filter iptable_raw iptable_mangle iptable_nat ip_tables xt_statistic xt_nat xt_addrtype ipt_REJECT nf_reject_ipv4 ip_set ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs ip6t_MASQUERADE ipt_MASQUERADE xt_conntrack xt_comment xt_mark nft_compat nft_chain_nat nf_nat nf_conntrack_netlink 8021q garp mrp bonding tls(X) bridge stp llc nfnetlink_log nft_limit nft_log nft_counter nf_tables_set nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink overlay vfat fat intel_rapl_msr intel_rapl_common intel_uncore_frequency intel_uncore_frequency_common sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass iTCO_wdt crct10dif_pclmul crc32_pclmul iTCO_vendor_support ghash_clmulni_intel rapl intel_cstate ipmi_si intel_uncore ipmi_devintf ipmi_msghandler pcspkr joydev mei_me i2c_i801 mei lpc_ich acpi_power_meter acpi_pad auth_rpcgss sunrpc xfs libcrc32c raid1 sd_mod t10_pi sg mpt3sas ahci ixgbe libahci crc32c_intel igb libata raid_class mdio i2c_algo_bit scsi_transport_sas dca dm_mirror dm_region_hash dm_log dm_mod fuse Red Hat flags: eBPF/rawtrace eBPF/event eBPF/cls eBPF/test ```