Question of CVE-2024-26809

[Qian-YM]

I have some question about CVE-2024-26809.

To trigger this vulnerability, we should set pipapo-set's dirty as true, and then delete the set. The method of author is in a same netlink, first insert a elem-D and then delete the pipapo_set.

But when the kernel run function nft_commit(), this will first address NFT_MSG_NEWSETELEM, then the dirty will be set false. After that kernel will run nft_pipapo_destroy, this time dirty already is false, how can we trigger the vulnerability?

[koczkatamas]

@conlonialC I think this is your submission. Can you please take a look at the question if you have some time? Thanks! :)

[Qian-YM]

I found that your method does work in the 6.1.79 version of the kernel, but it does not seem to work in the 6.1.0 kernel, because in the 6.1.0 kernel, the pipapo_commit function is called through the nft_pipapo_activate function, which eventually causes dirty to be set to false in advance.