Hi,
I am experiencing kernel crashes on AlmaLinux 8 caused by an unassigned CVE in
the Linux kernel related to a double-free/Use-After-Free vulnerability. ]
After analyzing the vmcore crash dump, I discovered that the AlmaLinux kernel
contains changes introduced by commit f6c383b8c31a but is not patched with the
fix provided in commit 7ffc7481153bbabf3332c6a19b289730c7e1edf5.
According to this discussion, the issue was introduced by commit:
f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction
API") and subsequently resolved by commit:
7ffc7481153bbabf3332c6a19b289730c7e1edf5 ("netfilter: nft_set_hash: skip
duplicated elements pending gc")
See what they are saying in mailing list:
https://lore.kernel.org/netdev/[email protected]/T/
The root cause is described as follows:
> 6) Fix possible double-free in nft_hash garbage collector due to unstable
> walk interator that can provide twice the same element. Use a sequence
> number to skip expired/dead elements that have been already scheduled
> for removal. Based on patch from Laurent Fasnach
This unpatched vulnerability in the AlmaLinux 8 kernel results in potential
Denial-of-Service (DoS) or crashes, especially when the server utilizes
nftables+dynset firewall rules.
It also provides a vector for privilege escalation (LPE) when user namespaces
are enabled.
The relevant crash dump from my system is shown below:
```
------------[ cut here ]------------
kernel BUG at mm/slub.c:380!
invalid opcode: 0000 [#1] SMP PTI
CPU: 13 PID: 3660872 Comm: goiptrace Kdump: loaded Tainted: G W X
-------- - - 4.18.0-553.27.1.el8_10.x86_64 #1
Hardware name: XXX
RIP: 0010:__slab_free+0x19b/0x330
Code: 1f 44 00 00 eb 9c 41 f7 46 08 00 0d 21 00 0f 85 16 ff ff ff 4d 85 ed 0f
85 0d ff ff ff 80 4c 24 5b 80 45 31 ff e9 57 ff ff ff <0f> 0b 49 3b 54 24 28 75
c4 49 89 5c 24 20 49 89 4c 24 28 49 0f ba
RSP: 0000:ffffaf87867bcd90 EFLAGS: 00010246
RAX: ffff99c6a85a13e0 RBX: ffff99c6a85a1380 RCX: ffff99c6a85a1380
RDX: 00000000002a001c RSI: ffffd55c47a16800 RDI: ffff99c5c0004e00
RBP: ffffaf87867bce30 R08: 0000000000000001 R09: ffffffffc0783137
R10: ffff99c6a85a1380 R11: 0000000000000029 R12: ffffd55c47a16800
R13: ffff99c6a85a1380 R14: ffff99c5c0004e00 R15: 0000000000000001
FS: 000000c000284c90(0000) GS:ffff99e4ffb40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00001931ccf4e000 CR3: 0000000ae9b46006 CR4: 00000000003706e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
? __die_body+0x1a/0x60
? die+0x2a/0x50
? do_trap+0xe7/0x110
? __slab_free+0x19b/0x330
? do_invalid_op+0x36/0x40
? __slab_free+0x19b/0x330
? invalid_op+0x14/0x20
? nft_trans_gc_trans_free+0x97/0xd0 [nf_tables]
? __slab_free+0x19b/0x330
? __unfreeze_partials+0x15b/0x1a0
? __update_load_avg_cfs_rq+0x27a/0x300
? nft_trans_gc_trans_free+0x97/0xd0 [nf_tables]
kfree+0x22e/0x250
nft_trans_gc_trans_free+0x97/0xd0 [nf_tables]
rcu_do_batch+0x1c5/0x4b0
rcu_core+0x14c/0x210
__do_softirq+0xdc/0x2cf
irq_exit_rcu+0xc6/0xd0
irq_exit+0xa/0x10
smp_apic_timer_interrupt+0x74/0x130
apic_timer_interrupt+0xf/0x20
</IRQ>
RIP: 0033:0x4231b2
Code: 23 4c 89 44 24 38 e8 cd 42 ff ff 48 85 f6 0f 84 a0 00 00 00 48 8b 94 24
88 00 00 00 49 89 f1 48 8b 74 24 48 4d 89 c8 4d 8b 09 <49> 29 d0 4d 85 c9 74 b0
4d 89 ca 49 29 d1 4c 39 ce 77 a5 4c 89 44
RSP: 002b:000000c000199e90 EFLAGS: 00000202 ORIG_RAX: ffffffffffffff13
RAX: 000000c002f19400 RBX: 0000000000000280 RCX: 294a529000000000
RDX: 000000c002f19200 RSI: 0000000000000480 RDI: 0000000000000040
RBP: 000000c000199f08 R08: 000000c002f19510 R09: 000000c000b1c690
R10: 00007fab2c7b1cfe R11: 00000000000002f8 R12: 0000000000000002
R13: 000000000000000b R14: 000000c0002a09c0 R15: 0000000000000001
Modules linked in: nbd rbd libceph binfmt_misc rpcsec_gss_krb5 nfsv4
dns_resolver nfs lockd grace fscache mptcp_diag tcp_diag udp_diag raw_diag
inet_diag unix_diag xt_multiport xt_TPROXY nf_tproxy_ipv6 nf_tproxy_ipv4
cls_bpf sch_ingress vxlan ip6_udp_tunnel udp_tunnel veth xt_CT xt_socket
nf_socket_ipv4 nf_socket_ipv6 ip6table_filter ip6table_raw ip6table_mangle
ip6_tables iptable_filter iptable_raw iptable_mangle iptable_nat ip_tables
xt_statistic xt_nat xt_addrtype ipt_REJECT nf_reject_ipv4 ip_set ip_vs_sh
ip_vs_wrr ip_vs_rr ip_vs ip6t_MASQUERADE ipt_MASQUERADE xt_conntrack xt_comment
xt_mark nft_compat nft_chain_nat nf_nat nf_conntrack_netlink 8021q garp mrp
bonding tls(X) bridge stp llc nfnetlink_log nft_limit nft_log nft_counter
nf_tables_set nft_ct nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables
nfnetlink overlay vfat fat intel_rapl_msr intel_rapl_common
intel_uncore_frequency intel_uncore_frequency_common sb_edac
x86_pkg_temp_thermal intel_powerclamp coretemp
kvm_intel kvm irqbypass iTCO_wdt crct10dif_pclmul crc32_pclmul
iTCO_vendor_support ghash_clmulni_intel rapl intel_cstate ipmi_si intel_uncore
ipmi_devintf ipmi_msghandler pcspkr joydev mei_me i2c_i801 mei lpc_ich
acpi_power_meter acpi_pad auth_rpcgss sunrpc xfs libcrc32c raid1 sd_mod t10_pi
sg mpt3sas ahci ixgbe libahci crc32c_intel igb libata raid_class mdio
i2c_algo_bit scsi_transport_sas dca dm_mirror dm_region_hash dm_log dm_mod fuse
Red Hat flags: eBPF/rawtrace eBPF/event eBPF/cls eBPF/test
```
