In the Linux kernel, the following vulnerability has been resolved:
netfilter: conntrack: revisit gc autotuning
as of commit 4608fdfc07e1 ("netfilter: conntrack: collect all entries in one cycle") conntrack gc was changed to run every 2 minutes.
On systems where conntrack hash table is set to large value, most evictions happen from gc worker rather than the packet path due to hash table distribution.
This causes netlink event overflows when events are collected.
This change collects average expiry of scanned entries and reschedules to the average remaining value, within 1 to 60 second interval.
To avoid event overflows, reschedule after each bucket and add a limit for both run time and number of evictions per run.
If more entries have to be evicted, reschedule and restart 1 jiffy into the future.
[
{
"id": "CVE-2022-49110-0072e851",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"108402303406129216368549896298811650541",
"59898094552098779964922363587227042847",
"192797744832365493362156343906096827798",
"164906270181912640827308279819238724295",
"269597613959108725468920274936559477261",
"130997230432786140003949671623345666037",
"337935681554305732917823828023996932420",
"115267375510492046934768062625611262103",
"28500328223531746648263088768852049508",
"213148414938692188381520991077646725278",
"1924182767324608251040827037881246584",
"112258837113573647366956873476550892018",
"95483648388560491426852145459356563226",
"261637701971124377530366571024456095962",
"222878722546378736721080761145053661580",
"117117081618034049378390077125508184975",
"171096078371550006223660036492123842689",
"61795138747837352154171211446563080530",
"277326902780426470785326612708453341641",
"274546594287619227432673101257216286544",
"226514381848181601973343005059145251218",
"32604724849182610828458549747583788317",
"221650296556891652333635725567351528898",
"190949179849674896855187548892253405873",
"267830914890109395887517342381889117157",
"132607902822917153944641166210095225799",
"150634418299103937373607179470124771348",
"179288604953344029917463205675119964206",
"237910770501861352372076929434699641907",
"335400663576058593377201684472336505450",
"309646267722005496231381884462264455488",
"86489187698974062637890601155437981790",
"112023148789647146009935552588949279596",
"307835803255542202878438989134144729801",
"89208184373802401721973727151535254975",
"191517888246682229274973512362102343435",
"156126588841831000779023028059141202241",
"170124212601247300487136614289483654968",
"337729381839539413847151923037722463490",
"275278318409407928368894065281291576820",
"284729471326299065028961350216752958366",
"231382133232492249636276042695565505120",
"325115666828603968061358425215197173064",
"201937362939077333612881659716689187519",
"173709387986910731774944096636960450902",
"129693211225805334539580700149154158872",
"276207922107414365755455812758059751216",
"4869462472032427382626212799742013241",
"198970311921473307020275496957420761859",
"51308873576264989928897748995638792950",
"225277951599292520814479210618107720500",
"189928264347697260186195868091064497231",
"173962901557220785850221741972529018797",
"260849928978074280918255683485489969321"
],
"threshold": 0.9
},
"target": {
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@592e57591826f3d09c28d755a39ea8e9d13705ad",
"signature_type": "Line"
},
{
"id": "CVE-2022-49110-0ce08af8",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1406.0,
"function_hash": "61507032626401099797024758779304197545"
},
"target": {
"function": "gc_worker",
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7cd361d5e6d986c0d4cafb9ceaa803359048ae15",
"signature_type": "Function"
},
{
"id": "CVE-2022-49110-6b2f3d0e",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"108402303406129216368549896298811650541",
"59898094552098779964922363587227042847",
"192797744832365493362156343906096827798",
"164906270181912640827308279819238724295",
"269597613959108725468920274936559477261",
"130997230432786140003949671623345666037",
"337935681554305732917823828023996932420",
"115267375510492046934768062625611262103",
"28500328223531746648263088768852049508",
"213148414938692188381520991077646725278",
"1924182767324608251040827037881246584",
"112258837113573647366956873476550892018",
"95483648388560491426852145459356563226",
"261637701971124377530366571024456095962",
"222878722546378736721080761145053661580",
"117117081618034049378390077125508184975",
"171096078371550006223660036492123842689",
"61795138747837352154171211446563080530",
"277326902780426470785326612708453341641",
"274546594287619227432673101257216286544",
"226514381848181601973343005059145251218",
"32604724849182610828458549747583788317",
"221650296556891652333635725567351528898",
"190949179849674896855187548892253405873",
"267830914890109395887517342381889117157",
"132607902822917153944641166210095225799",
"150634418299103937373607179470124771348",
"179288604953344029917463205675119964206",
"237910770501861352372076929434699641907",
"335400663576058593377201684472336505450",
"309646267722005496231381884462264455488",
"86489187698974062637890601155437981790",
"112023148789647146009935552588949279596",
"307835803255542202878438989134144729801",
"89208184373802401721973727151535254975",
"191517888246682229274973512362102343435",
"156126588841831000779023028059141202241",
"170124212601247300487136614289483654968",
"337729381839539413847151923037722463490",
"275278318409407928368894065281291576820",
"284729471326299065028961350216752958366",
"231382133232492249636276042695565505120",
"325115666828603968061358425215197173064",
"201937362939077333612881659716689187519",
"173709387986910731774944096636960450902",
"129693211225805334539580700149154158872",
"276207922107414365755455812758059751216",
"4869462472032427382626212799742013241",
"198970311921473307020275496957420761859",
"51308873576264989928897748995638792950",
"225277951599292520814479210618107720500",
"189928264347697260186195868091064497231",
"173962901557220785850221741972529018797",
"260849928978074280918255683485489969321"
],
"threshold": 0.9
},
"target": {
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7cd361d5e6d986c0d4cafb9ceaa803359048ae15",
"signature_type": "Line"
},
{
"id": "CVE-2022-49110-746aae4d",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"108402303406129216368549896298811650541",
"59898094552098779964922363587227042847",
"192797744832365493362156343906096827798",
"164906270181912640827308279819238724295",
"269597613959108725468920274936559477261",
"130997230432786140003949671623345666037",
"337935681554305732917823828023996932420",
"115267375510492046934768062625611262103",
"28500328223531746648263088768852049508",
"213148414938692188381520991077646725278",
"1924182767324608251040827037881246584",
"112258837113573647366956873476550892018",
"95483648388560491426852145459356563226",
"261637701971124377530366571024456095962",
"222878722546378736721080761145053661580",
"117117081618034049378390077125508184975",
"171096078371550006223660036492123842689",
"61795138747837352154171211446563080530",
"277326902780426470785326612708453341641",
"274546594287619227432673101257216286544",
"226514381848181601973343005059145251218",
"32604724849182610828458549747583788317",
"221650296556891652333635725567351528898",
"190949179849674896855187548892253405873",
"267830914890109395887517342381889117157",
"132607902822917153944641166210095225799",
"150634418299103937373607179470124771348",
"179288604953344029917463205675119964206",
"237910770501861352372076929434699641907",
"335400663576058593377201684472336505450",
"309646267722005496231381884462264455488",
"86489187698974062637890601155437981790",
"112023148789647146009935552588949279596",
"307835803255542202878438989134144729801",
"89208184373802401721973727151535254975",
"191517888246682229274973512362102343435",
"156126588841831000779023028059141202241",
"170124212601247300487136614289483654968",
"337729381839539413847151923037722463490",
"275278318409407928368894065281291576820",
"284729471326299065028961350216752958366",
"231382133232492249636276042695565505120",
"325115666828603968061358425215197173064",
"201937362939077333612881659716689187519",
"173709387986910731774944096636960450902",
"129693211225805334539580700149154158872",
"276207922107414365755455812758059751216",
"4869462472032427382626212799742013241",
"198970311921473307020275496957420761859",
"51308873576264989928897748995638792950",
"225277951599292520814479210618107720500",
"189928264347697260186195868091064497231",
"173962901557220785850221741972529018797",
"260849928978074280918255683485489969321"
],
"threshold": 0.9
},
"target": {
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2cfadb761d3d0219412fd8150faea60c7e863833",
"signature_type": "Line"
},
{
"id": "CVE-2022-49110-7d3076e2",
"deprecated": false,
"signature_version": "v1",
"digest": {
"line_hashes": [
"108402303406129216368549896298811650541",
"59898094552098779964922363587227042847",
"192797744832365493362156343906096827798",
"164906270181912640827308279819238724295",
"269597613959108725468920274936559477261",
"130997230432786140003949671623345666037",
"337935681554305732917823828023996932420",
"115267375510492046934768062625611262103",
"28500328223531746648263088768852049508",
"213148414938692188381520991077646725278",
"1924182767324608251040827037881246584",
"112258837113573647366956873476550892018",
"95483648388560491426852145459356563226",
"261637701971124377530366571024456095962",
"222878722546378736721080761145053661580",
"117117081618034049378390077125508184975",
"171096078371550006223660036492123842689",
"61795138747837352154171211446563080530",
"277326902780426470785326612708453341641",
"274546594287619227432673101257216286544",
"226514381848181601973343005059145251218",
"32604724849182610828458549747583788317",
"221650296556891652333635725567351528898",
"190949179849674896855187548892253405873",
"267830914890109395887517342381889117157",
"132607902822917153944641166210095225799",
"150634418299103937373607179470124771348",
"179288604953344029917463205675119964206",
"237910770501861352372076929434699641907",
"335400663576058593377201684472336505450",
"309646267722005496231381884462264455488",
"86489187698974062637890601155437981790",
"112023148789647146009935552588949279596",
"307835803255542202878438989134144729801",
"89208184373802401721973727151535254975",
"191517888246682229274973512362102343435",
"156126588841831000779023028059141202241",
"170124212601247300487136614289483654968",
"337729381839539413847151923037722463490",
"275278318409407928368894065281291576820",
"284729471326299065028961350216752958366",
"231382133232492249636276042695565505120",
"325115666828603968061358425215197173064",
"201937362939077333612881659716689187519",
"173709387986910731774944096636960450902",
"129693211225805334539580700149154158872",
"276207922107414365755455812758059751216",
"4869462472032427382626212799742013241",
"198970311921473307020275496957420761859",
"51308873576264989928897748995638792950",
"225277951599292520814479210618107720500",
"189928264347697260186195868091064497231",
"173962901557220785850221741972529018797",
"260849928978074280918255683485489969321"
],
"threshold": 0.9
},
"target": {
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58d52743ae85d28c9335c6034d6ce350b8689951",
"signature_type": "Line"
},
{
"id": "CVE-2022-49110-82b95ac6",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1406.0,
"function_hash": "61507032626401099797024758779304197545"
},
"target": {
"function": "gc_worker",
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@58d52743ae85d28c9335c6034d6ce350b8689951",
"signature_type": "Function"
},
{
"id": "CVE-2022-49110-c366bba4",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1406.0,
"function_hash": "61507032626401099797024758779304197545"
},
"target": {
"function": "gc_worker",
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@2cfadb761d3d0219412fd8150faea60c7e863833",
"signature_type": "Function"
},
{
"id": "CVE-2022-49110-f6e92579",
"deprecated": false,
"signature_version": "v1",
"digest": {
"length": 1406.0,
"function_hash": "61507032626401099797024758779304197545"
},
"target": {
"function": "gc_worker",
"file": "net/netfilter/nf_conntrack_core.c"
},
"source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@592e57591826f3d09c28d755a39ea8e9d13705ad",
"signature_type": "Function"
}
]