CVE-2024-49952

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: prevent nfskb_duplicated corruption

syzbot found that nfdupipv4() or nfdupipv6() could write per-cpu variable nfskbduplicated in an unsafe way [1].

Disabling preemption as hinted by the splat is not enough, we have to disable soft interrupts as well.

[1] BUG: using __thiscpuwrite() in preemptible [00000000] code: syz.4.282/6316 caller is nfdupipv4+0x651/0x8f0 net/ipv4/netfilter/nfdupipv4.c:87 CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024 Call Trace: <TASK> __dumpstack lib/dumpstack.c:93 [inline] dumpstacklvl+0x241/0x360 lib/dumpstack.c:119 checkpreemptiondisabled+0x10e/0x120 lib/smpprocessorid.c:49 nfdupipv4+0x651/0x8f0 net/ipv4/netfilter/nfdupipv4.c:87 nftdupipv4eval+0x1db/0x300 net/ipv4/netfilter/nftdupipv4.c:30 exprcallopseval net/netfilter/nftablescore.c:240 [inline] nftdochain+0x4ad/0x1da0 net/netfilter/nftablescore.c:288 nftdochainipv4+0x202/0x320 net/netfilter/nftchainfilter.c:23 nfhookentryhookfn include/linux/netfilter.h:154 [inline] nfhookslow+0xc3/0x220 net/netfilter/core.c:626 nfhook+0x2c4/0x450 include/linux/netfilter.h:269 NFHOOKCOND include/linux/netfilter.h:302 [inline] ipoutput+0x185/0x230 net/ipv4/ipoutput.c:433 iplocalout net/ipv4/ipoutput.c:129 [inline] ipsendskb+0x74/0x100 net/ipv4/ipoutput.c:1495 udpsendskb+0xacf/0x1650 net/ipv4/udp.c:981 udpsendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269 socksendmsg_nosec net/socket.c:730 [inline] __sock_sendmsg+0x1a6/0x270 net/socket.c:745 ____sys_sendmsg+0x525/0x7d0 net/socket.c:2597 ___sys_sendmsg net/socket.c:2651 [inline] __sys_sendmmsg+0x3b2/0x740 net/socket.c:2737 __dosyssendmmsg net/socket.c:2766 [inline] __sesyssendmmsg net/socket.c:2763 [inline] _x64syssendmmsg+0xa0/0xb0 net/socket.c:2763 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64afterhwframe+0x77/0x7f RIP: 0033:0x7f4ce4f7def9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIGRAX: 0000000000000133 RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9 RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006 RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68 </TASK>