CVE-2023-54200

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nf_tables: always release netdev hooks from notifier

This reverts "netfilter: nf_tables: skip netdev events generated on netns removal".

The problem is that when a veth device is released, the veth release callback will also queue the peer netns device for removal.

Its possible that the peer netns is also slated for removal. In this case, the device memory is already released before the pre_exit hook of the peer netns runs:

BUG: KASAN: slab-use-after-free in nfhookentryhead+0x1b8/0x1d0 Read of size 8 at addr ffff88812c0124f0 by task kworker/u8:1/45 Workqueue: netns cleanupnet Call Trace: nfhookentry_head+0x1b8/0x1d0 __nfunregisternethook+0x76/0x510 nftnetdevunregisterhooks+0xa0/0x220 __nftreleasehook+0x184/0x490 nftablespreexitnet+0x12f/0x1b0 ..

Order is: 1. First netns is released, vethdellink() queues peer netns device for removal 2. peer netns is queued for removal 3. peer netns device is released, unreg event is triggered 4. unreg event is ignored because netns is going down 5. preexit hook calls nftnetdevunregister_hooks but device memory might be free'd already.