发布于3月6日3月6日 Members Red Hat: CVE-2024-35898: kernel: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() (Multiple Advisories) Severity 5 CVSS (AV:L/AC:L/Au:S/C:N/I:N/A:C) Published 05/19/2024 Created 07/16/2024 Added 07/16/2024 Modified 12/05/2024 Description In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). And thhere is not any protection when iterate over nf_tables_flowtables list in __nft_flowtable_type_get(). Therefore, there is pertential data-race of nf_tables_flowtables list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller nft_flowtable_type_get() to protect the entire type query process. Solution(s) redhat-upgrade-kernel redhat-upgrade-kernel-rt References CVE-2024-35898 RHSA-2024:4533 RHSA-2024:4554 RHSA-2024:5928 RHSA-2024:6993 RHSA-2024:8856 RHSA-2024:8870 View more
