Message ID | 20220407141721.362852-2-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | CVE-2022-1015 | expand |
On 07.04.22 16:17, Thadeu Lima de Souza Cascardo wrote: > From: Pablo Neira Ayuso <pablo@netfilter.org> > > Bail out in case userspace uses unsupported registers. > > Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851) > CVE-2022-1015 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks > --- > net/netfilter/nf_tables_api.c | 22 +++++++++++++++++----- > 1 file changed, 17 insertions(+), 5 deletions(-) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index 2b2e0210a7f9..3e7f97a70721 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -9208,17 +9208,23 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) > } > EXPORT_SYMBOL_GPL(nft_parse_u32_check); > > -static unsigned int nft_parse_register(const struct nlattr *attr) > +static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg) > { > unsigned int reg; > > reg = ntohl(nla_get_be32(attr)); > switch (reg) { > case NFT_REG_VERDICT...NFT_REG_4: > - return reg * NFT_REG_SIZE / NFT_REG32_SIZE; > + *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; > + break; > + case NFT_REG32_00...NFT_REG32_15: > + *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; > + break; > default: > - return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; > + return -ERANGE; > } > + > + return 0; > } > > /** > @@ -9260,7 +9266,10 @@ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) > u32 reg; > int err; > > - reg = nft_parse_register(attr); > + err = nft_parse_register(attr, ®); > + if (err < 0) > + return err; > + > err = nft_validate_register_load(reg, len); > if (err < 0) > return err; > @@ -9315,7 +9324,10 @@ int nft_parse_register_store(const struct nft_ctx *ctx, > int err; > u32 reg; > > - reg = nft_parse_register(attr); > + err = nft_parse_register(attr, ®); > + if (err < 0) > + return err; > + > err = nft_validate_register_store(ctx, reg, data, type, len); > if (err < 0) > return err;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2b2e0210a7f9..3e7f97a70721 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -9208,17 +9208,23 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest) } EXPORT_SYMBOL_GPL(nft_parse_u32_check); -static unsigned int nft_parse_register(const struct nlattr *attr) +static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg) { unsigned int reg; reg = ntohl(nla_get_be32(attr)); switch (reg) { case NFT_REG_VERDICT...NFT_REG_4: - return reg * NFT_REG_SIZE / NFT_REG32_SIZE; + *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE; + break; + case NFT_REG32_00...NFT_REG32_15: + *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; + break; default: - return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00; + return -ERANGE; } + + return 0; } /** @@ -9260,7 +9266,10 @@ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len) u32 reg; int err; - reg = nft_parse_register(attr); + err = nft_parse_register(attr, ®); + if (err < 0) + return err; + err = nft_validate_register_load(reg, len); if (err < 0) return err; @@ -9315,7 +9324,10 @@ int nft_parse_register_store(const struct nft_ctx *ctx, int err; u32 reg; - reg = nft_parse_register(attr); + err = nft_parse_register(attr, ®); + if (err < 0) + return err; + err = nft_validate_register_store(ctx, reg, data, type, len); if (err < 0) return err;