CVE-2022-49110

Summary

In the Linux kernel, the following vulnerability has been resolved:

netfilter: conntrack: revisit gc autotuning

as of commit 4608fdfc07e1 ("netfilter: conntrack: collect all entries in one cycle") conntrack gc was changed to run every 2 minutes.

On systems where conntrack hash table is set to large value, most evictions happen from gc worker rather than the packet path due to hash table distribution.

This causes netlink event overflows when events are collected.

This change collects average expiry of scanned entries and reschedules to the average remaining value, within 1 to 60 second interval.

To avoid event overflows, reschedule after each bucket and add a limit for both run time and number of evictions per run.

If more entries have to be evicted, reschedule and restart 1 jiffy into the future.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux4608fdfc07e116f9fc0895beb40abad7cdb5ee3d < 58d52743ae85d28c9335c6034d6ce350b8689951affected
LinuxLinux4608fdfc07e116f9fc0895beb40abad7cdb5ee3d < 7cd361d5e6d986c0d4cafb9ceaa803359048ae15affected
LinuxLinux4608fdfc07e116f9fc0895beb40abad7cdb5ee3d < 592e57591826f3d09c28d755a39ea8e9d13705adaffected
LinuxLinux4608fdfc07e116f9fc0895beb40abad7cdb5ee3d < 2cfadb761d3d0219412fd8150faea60c7e863833affected
LinuxLinuxdafc95a1e473a0b857af34ecbb17b8b1c90edd75affected
LinuxLinux5892f910f401c1facfc410e0b042108f2827a77baffected
LinuxLinuxf68ad168e23565ce2a3891fec537cfaf8410d1e6affected
LinuxLinux7aa03980b21fdc7355e20274a68a69a0b2a45c08affected
LinuxLinux4.19.206 < 4.20affected
LinuxLinux5.4.144 < 5.5affected
LinuxLinux5.10.62 < 5.11affected
LinuxLinux5.13.14 < 5.14affected
LinuxLinux5.14affected
LinuxLinux0 < 5.14unaffected
LinuxLinux5.15.34 <= 5.15.*unaffected
LinuxLinux5.16.20 <= 5.16.*unaffected
LinuxLinux5.17.3 <= 5.17.*unaffected
LinuxLinux5.18 <= *unaffected

Weaknesses

References