netfilter NFTables Verdict UAF

Vulnerability analysis

Summary: A use-after-free vulnerability in netfilter's nf_tables component allows local privilege escalation through malformed verdict parameters.

Root Cause: The nft_verdict_init() function incorrectly allowed positive values as drop error codes within hook verdicts. When NF_DROP is issued with a positive error value that resembles NF_ACCEPT (value 1), the nf_hook_slow() function in core.c assumes the upper 16 bits contain a valid negative errno or 0, leading to improper memory handling and a double-free condition.

Attack Mechanism: An attacker with local access can craft malicious netfilter rules containing NF_DROP verdicts with positive error values. When these rules are processed, the kernel misinterprets the verdict parameters, causing memory corruption that can be exploited for privilege escalation.

Attack Surface: Local attack requiring the ability to configure netfilter rules, typically requiring elevated privileges or specific capabilities like CAP_NET_ADMIN.

Fix Mechanism: The patch reverts commit e0abdadcc6e1 and restricts verdict parameter validation to only accept specific valid verdict codes (NF_ACCEPT, NF_DROP, NF_QUEUE, NFT_CONTINUE, NFT_BREAK, NFT_RETURN) without allowing arbitrary parameters. This prevents the injection of positive values that could be misinterpreted as NF_ACCEPT.