netfilter Catchall Element UAF

Vulnerability analysis

Summary: A use-after-free vulnerability in netfilter's nf_tables component where catchall set elements could be freed multiple times due to improper cleanup in the garbage collection sync path.

Root Cause: The nft_trans_gc_catchall function failed to remove expired catchall set elements from the catchall_list when operating in sync mode (sync=true). This meant that the same catchall element could be processed multiple times during garbage collection, leading to multiple free operations on the same memory.

Attack Mechanism: An attacker with local access and sufficient privileges to manipulate netfilter rules could trigger the garbage collection of catchall elements in a way that causes the same element to be freed multiple times, corrupting kernel memory and potentially achieving privilege escalation.

Fix Mechanism: The patch fixes the issue by ensuring that in sync mode, expired catchall elements are properly deactivated and removed from the catchall_list before being queued for garbage collection. It introduces proper cleanup by calling nft_setelem_data_deactivate() and nft_setelem_catchall_destroy() (which removes from list) before adding to the GC queue.