Executive Summary

This vulnerability relates to the Linux kernel's netfilter component, specifically the nft_set_rbtree function which manages sets of intervals.

The issue arises because open intervals (intervals without an explicit end element) are difficult to validate, especially when they appear at the end of a set. The validation process relies on having an end element to check for overlaps.

The vulnerability involves improper validation of overlapping intervals when adding or deleting intervals in nft_set_rbtree. Overlaps can occur when a new interval partially overlaps with an existing one, particularly with open intervals.

The fix introduces a new flag in the temporary nft_set_elem structure to mark the last element in an add or delete command. This flag, combined with the start element cookie, helps detect partial overlaps and prevents incorrect interval insertions or deletions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to incorrect handling of interval sets in the Linux kernel's netfilter subsystem.

Specifically, it may cause the system to accept overlapping intervals that should be rejected or reject valid intervals due to spurious errors.

Such incorrect interval management could potentially affect firewall rules or network filtering behavior, possibly leading to security policy bypass or denial of service conditions.

Useful 0 Not Useful 0