CVE-2024-26910: netfilter: ipset: fix performance regression in swap operation

* CVE-2024-26910: netfilter: ipset: fix performance regression in swap operation
@ 2024-04-17 15:59 Greg Kroah-Hartman
  0 siblings, 0 replies; only message in thread
From: Greg Kroah-Hartman @ 2024-04-17 15:59 UTC (permalink / raw)
  To: linux-cve-announce; +Cc: Greg Kroah-Hartman

Description
===========

In the Linux kernel, the following vulnerability has been resolved:

netfilter: ipset: fix performance regression in swap operation

The patch "netfilter: ipset: fix race condition between swap/destroy
and kernel side add/del/test", commit 28628fa9 fixes a race condition.
But the synchronize_rcu() added to the swap function unnecessarily slows
it down: it can safely be moved to destroy and use call_rcu() instead.

Eric Dumazet pointed out that simply calling the destroy functions as
rcu callback does not work: sets with timeout use garbage collectors
which need cancelling at destroy which can wait. Therefore the destroy
functions are split into two: cancelling garbage collectors safely at
executing the command received by netlink and moving the remaining
part only into the rcu callback.

The Linux kernel CVE team has assigned CVE-2024-26910 to this issue.

Affected and fixed versions
===========================

	Issue introduced in 5.4.264 with commit 427deb5ba566 and fixed in 5.4.269 with commit c7f2733e5011
	Issue introduced in 5.10.204 with commit e7152a138a5a and fixed in 5.10.210 with commit a24d5f2ac8ef
	Issue introduced in 5.15.143 with commit 8bb930c3a1ea and fixed in 5.15.149 with commit c2dc077d8f72
	Issue introduced in 6.1.68 with commit 875ee3a09e27 and fixed in 6.1.79 with commit 653bc5e6d999
	Issue introduced in 6.6.7 with commit 23c31036f862 and fixed in 6.6.18 with commit b93a6756a01f
	Issue introduced in 6.7 with commit 28628fa952fe and fixed in 6.7.6 with commit 970709a67696
	Issue introduced in 6.7 with commit 28628fa952fe and fixed in 6.8 with commit 97f7cf1cd80e
	Issue introduced in 4.19.302 with commit a12606e5ad0c

Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.

Unaffected versions might change over time as fixes are backported to
older supported kernel versions.  The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26910
will be updated if fixes are backported, please check that for the most
up to date information about this issue.

Affected files
==============

The file(s) affected by this issue are:
	include/linux/netfilter/ipset/ip_set.h
	net/netfilter/ipset/ip_set_bitmap_gen.h
	net/netfilter/ipset/ip_set_core.c
	net/netfilter/ipset/ip_set_hash_gen.h
	net/netfilter/ipset/ip_set_list_set.c

Mitigation
==========

The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes.  Individual
changes are never tested alone, but rather are part of a larger kernel
release.  Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all.  If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
	https://git.kernel.org/stable/c/c7f2733e5011bfd136f1ca93497394d43aa76225
	https://git.kernel.org/stable/c/a24d5f2ac8ef702a58e55ec276aad29b4bd97e05
	https://git.kernel.org/stable/c/c2dc077d8f722a1c73a24e674f925602ee5ece49
	https://git.kernel.org/stable/c/653bc5e6d9995d7d5f497c665b321875a626161c
	https://git.kernel.org/stable/c/b93a6756a01f4fd2f329a39216f9824c56a66397
	https://git.kernel.org/stable/c/970709a67696b100a57b33af1a3d75fc34b747eb
	https://git.kernel.org/stable/c/97f7cf1cd80eeed3b7c808b7c12463295c751001

^ permalink raw reply	[flat|nested] only message in thread