Skip to content

[ciqlts9_2] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()#1309

Merged
bmastbergen merged 1 commit into
ciqlts9_2from
{bmastbergen}_ciqlts9_2
Jun 10, 2026
Merged

[ciqlts9_2] netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()#1309
bmastbergen merged 1 commit into
ciqlts9_2from
{bmastbergen}_ciqlts9_2

Conversation

@ciq-kernel-automation

@ciq-kernel-automation ciq-kernel-automation Bot commented Jun 9, 2026

Copy link
Copy Markdown

Summary

This PR has been automatically created after successful completion of all CI stages.

Commit Message(s)

netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

jira VULN-176072
cve CVE-2026-23111
commit-author Andrew Fasano <andrew.fasano@nist.gov>
commit f41c5d151078c5348271ffaf8e7410d96f2d82f8

Test Results

✅ Build Stage

Architecture Build Time Total Time
x86_64 23m 41s 24m 30s
aarch64 12m 45s 13m 17s

✅ Boot Verification

✅ Kernel Selftests

Architecture Passed Failed Compared Against Status
x86_64 174 24 ciqlts9_2 ✅ No regressions
aarch64 141 27 ciqlts9_2 ✅ No regressions

✅ LTP Results

Architecture Passed Failed Compared Against Status
x86_64 1439 81 ciqlts9_2 ✅ No regressions
aarch64 1409 83 ciqlts9_2 ✅ No regressions

🤖 This PR was automatically generated by GitHub Actions
Run ID: 27229900478

@bmastbergen
netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_…
7496d3f 
…activate()

jira VULN-176072
cve CVE-2026-23111
commit-author Andrew Fasano <andrew.fasano@nist.gov>
commit f41c5d1

nft_map_catchall_activate() has an inverted element activity check
compared to its non-catchall counterpart nft_mapelem_activate() and
compared to what is logically required.

nft_map_catchall_activate() is called from the abort path to re-activate
catchall map elements that were deactivated during a failed transaction.
It should skip elements that are already active (they don't need
re-activation) and process elements that are inactive (they need to be
restored). Instead, the current code does the opposite: it skips inactive
elements and processes active ones.

Compare the non-catchall activate callback, which is correct:

  nft_mapelem_activate():
    if (nft_set_elem_active(ext, iter->genmask))
        return 0;   /* skip active, process inactive */

With the buggy catchall version:

  nft_map_catchall_activate():
    if (!nft_set_elem_active(ext, genmask))
        continue;   /* skip inactive, process active */

The consequence is that when a DELSET operation is aborted,
nft_setelem_data_activate() is never called for the catchall element.
For NFT_GOTO verdict elements, this means nft_data_hold() is never
called to restore the chain->use reference count. Each abort cycle
permanently decrements chain->use. Once chain->use reaches zero,
DELCHAIN succeeds and frees the chain while catchall verdict elements
still reference it, resulting in a use-after-free.

This is exploitable for local privilege escalation from an unprivileged
user via user namespaces + nftables on distributions that enable
CONFIG_USER_NS and CONFIG_NF_TABLES.

Fix by removing the negation so the check matches nft_mapelem_activate():
skip active elements, process inactive ones.

Fixes: 628bd3e ("netfilter: nf_tables: drop map element references from preparation phase")
	Signed-off-by: Andrew Fasano <andrew.fasano@nist.gov>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f41c5d1)
	Signed-off-by: Brett Mastbergen <bmastbergen@ciq.com>
@ciq-kernel-automation ciq-kernel-automation Bot added the created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI) label Jun 9, 2026
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27242984209

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

JIRA PR Check Results

1 commit(s) with issues found:

Commit 7496d3ffa9e3

Summary: netfilter: nf_tables: fix inverted genmask check in nft_map_catchall_activate()

⚠️ Warnings:

  • VULN-176072: No time logged - please log time manually

Summary: Checked 1 commit(s) total.

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27242984209

@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/27245540352

@github-actions

github-actions Bot commented Jun 10, 2026

Copy link
Copy Markdown

Validation checks completed successfully View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/27245540352

@bmastbergen bmastbergen merged commit 6979057 into ciqlts9_2 Jun 10, 2026
6 checks passed
@bmastbergen bmastbergen deleted the {bmastbergen}_ciqlts9_2 branch June 10, 2026 11:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@roxanan1996 roxanan1996 roxanan1996 approved these changes

@shreeya-patel98 shreeya-patel98 shreeya-patel98 approved these changes

Assignees

No one assigned

Labels

created-by-kernelci Tag PRs that were automatically created when a user branch was pushed to the repo (kernelCI)

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@roxanan1996 @shreeya-patel98 @bmastbergen