{"id":"CVE-2024-42270","summary":"netfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: iptables: Fix null-ptr-deref in iptable_nat_table_init().\n\nWe had a report that iptables-restore sometimes triggered null-ptr-deref\nat boot time. [0]\n\nThe problem is that iptable_nat_table_init() is exposed to user space\nbefore the kernel fully initialises netns.\n\nIn the small race window, a user could call iptable_nat_table_init()\nthat accesses net_generic(net, iptable_nat_net_id), which is available\nonly after registering iptable_nat_net_ops.\n\nLet's call register_pernet_subsys() before xt_register_template().\n\n[0]:\nbpfilter: Loaded bpfilter_umh pid 11702\nStarted bpfilter\nBUG: kernel NULL pointer dereference, address: 0000000000000013\n PF: supervisor write access in kernel mode\n PF: error_code(0x0002) - not-present page\nPGD 0 P4D 0\nPREEMPT SMP NOPTI\nCPU: 2 PID: 11879 Comm: iptables-restor Not tainted 6.1.92-99.174.amzn2023.x86_64 #1\nHardware name: Amazon EC2 c6i.4xlarge/, BIOS 1.0 10/16/2017\nRIP: 0010:iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\nCode: 10 4c 89 f6 48 89 ef e8 0b 19 bb ff 41 89 c4 85 c0 75 38 41 83 c7 01 49 83 c6 28 41 83 ff 04 75 dc 48 8b 44 24 08 48 8b 0c 24 \u003c48\u003e 89 08 4c 89 ef e8 a2 3b a2 cf 48 83 c4 10 44 89 e0 5b 5d 41 5c\nRSP: 0018:ffffbef902843cd0 EFLAGS: 00010246\nRAX: 0000000000000013 RBX: ffff9f4b052caa20 RCX: ffff9f4b20988d80\nRDX: 0000000000000000 RSI: 0000000000000064 RDI: ffffffffc04201c0\nRBP: ffff9f4b29394000 R08: ffff9f4b07f77258 R09: ffff9f4b07f77240\nR10: 0000000000000000 R11: ffff9f4b09635388 R12: 0000000000000000\nR13: ffff9f4b1a3c6c00 R14: ffff9f4b20988e20 R15: 0000000000000004\nFS:  00007f6284340000(0000) GS:ffff9f51fe280000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000000000000013 CR3: 00000001d10a6005 CR4: 00000000007706e0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? show_trace_log_lvl (arch/x86/kernel/dumpstack.c:259)\n ? xt_find_table_lock (net/netfilter/x_tables.c:1259)\n ? __die_body.cold (arch/x86/kernel/dumpstack.c:478 arch/x86/kernel/dumpstack.c:420)\n ? page_fault_oops (arch/x86/mm/fault.c:727)\n ? exc_page_fault (./arch/x86/include/asm/irqflags.h:40 ./arch/x86/include/asm/irqflags.h:75 arch/x86/mm/fault.c:1470 arch/x86/mm/fault.c:1518)\n ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:570)\n ? iptable_nat_table_init (net/ipv4/netfilter/iptable_nat.c:87 net/ipv4/netfilter/iptable_nat.c:121) iptable_nat\n xt_find_table_lock (net/netfilter/x_tables.c:1259)\n xt_request_find_table_lock (net/netfilter/x_tables.c:1287)\n get_info (net/ipv4/netfilter/ip_tables.c:965)\n ? security_capable (security/security.c:809 (discriminator 13))\n ? ns_capable (kernel/capability.c:376 kernel/capability.c:397)\n ? do_ipt_get_ctl (net/ipv4/netfilter/ip_tables.c:1656)\n ? bpfilter_send_req (net/bpfilter/bpfilter_kern.c:52) bpfilter\n nf_getsockopt (net/netfilter/nf_sockopt.c:116)\n ip_getsockopt (net/ipv4/ip_sockglue.c:1827)\n __sys_getsockopt (net/socket.c:2327)\n __x64_sys_getsockopt (net/socket.c:2342 net/socket.c:2339 net/socket.c:2339)\n do_syscall_64 (arch/x86/entry/common.c:51 arch/x86/entry/common.c:81)\n entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:121)\nRIP: 0033:0x7f62844685ee\nCode: 48 8b 0d 45 28 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 37 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 0a c3 66 0f 1f 84 00 00 00 00 00 48 8b 15 09\nRSP: 002b:00007ffd1f83d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000037\nRAX: ffffffffffffffda RBX: 00007ffd1f83d680 RCX: 00007f62844685ee\nRDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000004\nRBP: 0000000000000004 R08: 00007ffd1f83d670 R09: 0000558798ffa2a0\nR10: 00007ffd1f83d680 R11: 0000000000000246 R12: 00007ffd1f83e3b2\nR13: 00007f6284\n---truncated---","modified":"2026-04-02T12:17:54.591150Z","published":"2024-08-17T08:54:25.178Z","related":["MGASA-2024-0309","MGASA-2024-0310","SUSE-SU-2024:3194-1","SUSE-SU-2024:3195-1","SUSE-SU-2024:3383-1","SUSE-SU-2025:20044-1","SUSE-SU-2025:20047-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42270.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/08ed888b69a22647153fe2bec55b7cd0a46102cc"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5830aa863981d43560748aa93589c0695191d95d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/70014b73d7539fcbb6b4ff5f37368d7241d8e626"},{"type":"WEB","url":"https://git.kernel.org/stable/c/95590a4929027769af35b153645c0ab6fd22b29b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b98ddb65fa1674b0e6b52de8af9103b63f51b643"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/42xxx/CVE-2024-42270.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-42270"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"fdacd57c79b79a03c7ca88f706ad9fb7b46831c1"},{"fixed":"b98ddb65fa1674b0e6b52de8af9103b63f51b643"},{"fixed":"95590a4929027769af35b153645c0ab6fd22b29b"},{"fixed":"70014b73d7539fcbb6b4ff5f37368d7241d8e626"},{"fixed":"08ed888b69a22647153fe2bec55b7cd0a46102cc"},{"fixed":"5830aa863981d43560748aa93589c0695191d95d"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-42270.json"}}],"schema_version":"1.7.5"}