fkie_cve-2022-49110
Vulnerability from fkie_nvd
Published
2025-02-26 07:00
Modified
2025-02-26 07:00
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: revisit gc autotuning as of commit 4608fdfc07e1 ("netfilter: conntrack: collect all entries in one cycle") conntrack gc was changed to run every 2 minutes. On systems where conntrack hash table is set to large value, most evictions happen from gc worker rather than the packet path due to hash table distribution. This causes netlink event overflows when events are collected. This change collects average expiry of scanned entries and reschedules to the average remaining value, within 1 to 60 second interval. To avoid event overflows, reschedule after each bucket and add a limit for both run time and number of evictions per run. If more entries have to be evicted, reschedule and restart 1 jiffy into the future.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/2cfadb761d3d0219412fd8150faea60c7e863833
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/58d52743ae85d28c9335c6034d6ce350b8689951
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/592e57591826f3d09c28d755a39ea8e9d13705ad
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7cd361d5e6d986c0d4cafb9ceaa803359048ae15
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: conntrack: revisit gc autotuning\n\nas of commit 4608fdfc07e1\n(\"netfilter: conntrack: collect all entries in one cycle\")\nconntrack gc was changed to run every 2 minutes.\n\nOn systems where conntrack hash table is set to large value, most evictions\nhappen from gc worker rather than the packet path due to hash table\ndistribution.\n\nThis causes netlink event overflows when events are collected.\n\nThis change collects average expiry of scanned entries and\nreschedules to the average remaining value, within 1 to 60 second interval.\n\nTo avoid event overflows, reschedule after each bucket and add a\nlimit for both run time and number of evictions per run.\n\nIf more entries have to be evicted, reschedule and restart 1 jiffy\ninto the future."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: netfilter: conntrack: volver a realizar el ajuste autom\u00e1tico de gc a partir de el commit 4608fdfc07e1 (\"netfilter: conntrack: recopilar todas las entradas en un ciclo\") Se modific\u00f3 conntrack gc para que se ejecute cada 2 minutos. En sistemas en los que la tabla hash de conntrack est\u00e1 configurada con un valor grande, la mayor\u00eda de los desalojos se producen desde el trabajador de gc en lugar de la ruta del paquete debido a la distribuci\u00f3n de la tabla hash. Esto provoca desbordamientos de eventos de netlink cuando se recopilan eventos. Este cambio recopila la expiraci\u00f3n promedio de las entradas escaneadas y reprograma al valor restante promedio, dentro de un intervalo de 1 a 60 segundos. Para evitar desbordamientos de eventos, reprograme despu\u00e9s de cada dep\u00f3sito y agregue un l\u00edmite tanto para el tiempo de ejecuci\u00f3n como para la cantidad de desalojos por ejecuci\u00f3n. Si se deben desalojar m\u00e1s entradas, reprograme y reinicie 1 santiam\u00e9n en el futuro."
    }
  ],
  "id": "CVE-2022-49110",
  "lastModified": "2025-02-26T07:00:48.363",
  "metrics": {},
  "published": "2025-02-26T07:00:48.363",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/2cfadb761d3d0219412fd8150faea60c7e863833"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/58d52743ae85d28c9335c6034d6ce350b8689951"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/592e57591826f3d09c28d755a39ea8e9d13705ad"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7cd361d5e6d986c0d4cafb9ceaa803359048ae15"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.