| The vulnerability resides in the `nft_ct` module of the Linux kernel's netfilter subsystem, specifically in the `nft_ct_expect_obj_eval()` function. This function calls `nf_ct_ext_add()` for a confirmed conntrack entry, which is incorrect because `nf_ct_ext_add()` can only be called for unconfirmed conntrack entries (`!nf_ct_is_confirmed()`). |
| |
| When `nf_ct_ext_add()` is called for a confirmed conntrack entry, it leads to a warning and a crash dump, as shown in the provided log snippet. The issue is caused by the incorrect addition of a conntrack helper extension for a confirmed conntrack entry. |
| |
| To fix this issue, the patch skips rule evaluation if the ct helper extension does not exist and only adds the ct helper extension for unconfirmed conntrack entries. Additionally, it removes a check for `IPCT_UNTRACK` which is implicit to `!ct`. |
| |
| The vulnerability was introduced in Linux kernel version 5.3 with commit 857b46027d6f and fixed in various subsequent versions, including 5.4.125, 5.10.43, 5.12.10, and 5.13. The affected file is `net/netfilter/nft_ct.c`. |
| |
