[SRU][J/N/P][PATCH 0/3] CVE-2025-38678

Ian Whitfield ian.whitfield at canonical.com
Wed Sep 17 02:50:58 UTC 2025 

[Impact]

netfilter: nf_tables: reject duplicate device on updates

A chain/flowtable update with duplicated devices in the same batch is
possible. Unfortunately, netdev event path only removes the first
device that is found, leaving unregistered the hook of the duplicated
device.

Check if a duplicated device exists in the transaction batch, bail out
with EEXIST in such case.

WARNING is hit when unregistering the hook:

 [49042.221275] WARNING: CPU: 4 PID: 8425 at net/netfilter/core.c:340 nf_hook_entry_head+0xaa/0x150
 [49042.221375] CPU: 4 UID: 0 PID: 8425 Comm: nft Tainted: G S                  6.16.0+ #170 PREEMPT(full)
 [...]
 [49042.221382] RIP: 0010:nf_hook_entry_head+0xaa/0x150

[Backport]

All patches required a context adjustment around the missing commits 75e20bcdce24
("netfilter: nf_tables: Introduce functions freeing nft_hook objects") which
added wrapper functions for kfree and 0741f5559354 ("netfilter: nf_tables: Fix
percpu address space issues in nf_tables_api.c") which resolves warnings in a
later version of the kernel but introduces no changes to the binary.

Noble and Jammy required a small edit due to missing e169285f8c56 ("netfilter:
nf_tables: do not store nft_ctx in transaction objects"). The edit just replaces
`trans->table` with `trans->ctx.table`.

Jammy only includes one of the two break commits, namely 78d9f48f7f44
("netfilter: nf_tables: add devices to existing flowtable"), so only flowtable
updates needed to be fixed. Chain updates were left as-is for Jammy because the
break commit b9703ed44ffb ("netfilter: nf_tables: support for adding new devices
to an existing netdev chain") is not included.

[Fix]

Plucky:   backport
Noble:    backport
Jammy:    backport
Focal:    not affected
Bionic:   not affected
Xenial:   not affected
Trusty:   not affected

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use nftables for network filtering, particularly
with tables in the netdev family. An issue with this fix would be visible to the
user as networking issues or kernel errors occuring after making updates to an
existing flowtable or chain.

Pablo Neira Ayuso (1):
  netfilter: nf_tables: reject duplicate device on updates

 net/netfilter/nf_tables_api.c | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

-- 
2.43.0

More information about the kernel-team mailing list