ghsa-rj62-f3v9-qqwj
Vulnerability from github
Published
2025-10-01 12:30
Modified
2025-10-01 12:30
Details

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: do not ignore genmask when looking up chain by id

When adding a rule to a chain referring to its ID, if that chain had been deleted on the same batch, the rule might end up referring to a deleted chain.

This will lead to a WARNING like following:

[ 33.098431] ------------[ cut here ]------------ [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260 [ 33.099217] Modules linked in: [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409 [ 33.099726] Workqueue: events nf_tables_trans_destroy_work [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260 [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202 [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000 [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000 [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500 [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10 [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000 [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0 [ 33.104872] PKRU: 55555554 [ 33.104999] Call Trace: [ 33.105113] [ 33.105214] ? show_regs+0x72/0x90 [ 33.105371] ? __warn+0xa5/0x210 [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260 [ 33.105732] ? report_bug+0x1f2/0x200 [ 33.105902] ? handle_bug+0x46/0x90 [ 33.106546] ? exc_invalid_op+0x19/0x50 [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20 [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260 [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260 [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680 [ 33.107782] ? mark_held_locks+0x28/0xa0 [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70 [ 33.108538] process_one_work+0x68c/0xb70 [ 33.108755] ? lock_acquire+0x17f/0x420 [ 33.108977] ? __pfx_process_one_work+0x10/0x10 [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0 [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80 [ 33.109634] worker_thread+0x2bd/0x700 [ 33.109817] ? __pfx_worker_thread+0x10/0x10 [ 33.110254] kthread+0x18b/0x1d0 [ 33.110410] ? __pfx_kthread+0x10/0x10 [ 33.110581] ret_from_fork+0x29/0x50 [ 33.110757] [ 33.110866] irq event stamp: 1651 [ 33.111017] hardirqs last enabled at (1659): [] __up_console_sem+0x79/0xa0 [ 33.111379] hardirqs last disabled at (1666): [] __up_console_sem+0x5e/0xa0 [ 33.111740] softirqs last enabled at (1616): [] __irq_exit_rcu+0x9e/0xe0 [ 33.112094] softirqs last disabled at (1367): [] __irq_exit_rcu+0x9e/0xe0 [ 33.112453] ---[ end trace 0000000000000000 ]---

This is due to the nft_chain_lookup_byid ignoring the genmask. After this change, adding the new rule will fail as it will not find the chain.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2023-53492"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-10-01T12:15:52Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_tables: do not ignore genmask when looking up chain by id\n\nWhen adding a rule to a chain referring to its ID, if that chain had been\ndeleted on the same batch, the rule might end up referring to a deleted\nchain.\n\nThis will lead to a WARNING like following:\n\n[   33.098431] ------------[ cut here ]------------\n[   33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260\n[   33.099217] Modules linked in:\n[   33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409\n[   33.099726] Workqueue: events nf_tables_trans_destroy_work\n[   33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260\n[   33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc \u003c0f\u003e 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7\n[   33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202\n[   33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000\n[   33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\n[   33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000\n[   33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500\n[   33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10\n[   33.103762] FS:  0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000\n[   33.104184] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0\n[   33.104872] PKRU: 55555554\n[   33.104999] Call Trace:\n[   33.105113]  \u003cTASK\u003e\n[   33.105214]  ? show_regs+0x72/0x90\n[   33.105371]  ? __warn+0xa5/0x210\n[   33.105520]  ? nf_tables_chain_destroy+0x23d/0x260\n[   33.105732]  ? report_bug+0x1f2/0x200\n[   33.105902]  ? handle_bug+0x46/0x90\n[   33.106546]  ? exc_invalid_op+0x19/0x50\n[   33.106762]  ? asm_exc_invalid_op+0x1b/0x20\n[   33.106995]  ? nf_tables_chain_destroy+0x23d/0x260\n[   33.107249]  ? nf_tables_chain_destroy+0x30/0x260\n[   33.107506]  nf_tables_trans_destroy_work+0x669/0x680\n[   33.107782]  ? mark_held_locks+0x28/0xa0\n[   33.107996]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10\n[   33.108294]  ? _raw_spin_unlock_irq+0x28/0x70\n[   33.108538]  process_one_work+0x68c/0xb70\n[   33.108755]  ? lock_acquire+0x17f/0x420\n[   33.108977]  ? __pfx_process_one_work+0x10/0x10\n[   33.109218]  ? do_raw_spin_lock+0x128/0x1d0\n[   33.109435]  ? _raw_spin_lock_irq+0x71/0x80\n[   33.109634]  worker_thread+0x2bd/0x700\n[   33.109817]  ? __pfx_worker_thread+0x10/0x10\n[   33.110254]  kthread+0x18b/0x1d0\n[   33.110410]  ? __pfx_kthread+0x10/0x10\n[   33.110581]  ret_from_fork+0x29/0x50\n[   33.110757]  \u003c/TASK\u003e\n[   33.110866] irq event stamp: 1651\n[   33.111017] hardirqs last  enabled at (1659): [\u003cffffffffa206a209\u003e] __up_console_sem+0x79/0xa0\n[   33.111379] hardirqs last disabled at (1666): [\u003cffffffffa206a1ee\u003e] __up_console_sem+0x5e/0xa0\n[   33.111740] softirqs last  enabled at (1616): [\u003cffffffffa1f5d40e\u003e] __irq_exit_rcu+0x9e/0xe0\n[   33.112094] softirqs last disabled at (1367): [\u003cffffffffa1f5d40e\u003e] __irq_exit_rcu+0x9e/0xe0\n[   33.112453] ---[ end trace 0000000000000000 ]---\n\nThis is due to the nft_chain_lookup_byid ignoring the genmask. After this\nchange, adding the new rule will fail as it will not find the chain.",
  "id": "GHSA-rj62-f3v9-qqwj",
  "modified": "2025-10-01T12:30:30Z",
  "published": "2025-10-01T12:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53492"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/041e2ac88caef286b39064e83e825e3f53113d36"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/4ae2e501331aaa506eaf760339bb2f43e5769395"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/515ad530795c118f012539ed76d02bacfd426d89"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/5e5e967e8505fbdabfb6497367ec1b808cadc356"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/fc95c8b02c6160936f1f3d8d9d7f4f66f3c84b49"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.