From patchwork Fri Mar 17 19:14:06 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1758357 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=sTX5yH2Y; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4PdYhx1B1gz2470 for ; Sat, 18 Mar 2023 06:14:24 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1pdFWn-0007r3-Lz; Fri, 17 Mar 2023 19:14:13 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1pdFWl-0007qg-MG for kernel-team@lists.ubuntu.com; Fri, 17 Mar 2023 19:14:11 +0000 Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5DBFE3F48A for ; Fri, 17 Mar 2023 19:14:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1679080451; bh=AamE6KR/ddQnNWqRTVVKRaEBQ1DGGLoMHvX+dY45FBM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=sTX5yH2Yeu9u5nYf8jotnT8qXRCfGkREvwpQZFjc8x2+9lr3VJMW8exXjzDEb4VEC 8mEu+YbIX6WgUEElXc+2tzvdX6iPKzALP4goKcBBxTNdLeSTV7UcwtGwx1SRIdWpS7 ro8zUjoBP53DD7MizHL4nTB2+0UJ1L63AdkKXHjIG+JTm6u9teobI/Yzr1PLrW0QEw UbJosmoNF3vqydfWeglj80BHnpaQK5QYt77ArO6zlMZ291jBen6N4qddtJimHxprZZ 1lCVlECL7ojfDZ0TG67V1hF4kHiONCwAaklytAnRTmU13qCoMdVu4+ObtgygW1vmGQ jdE/Yv1nvXD1g== Received: by mail-qt1-f199.google.com with SMTP id r4-20020ac867c4000000b003bfefb6dd58so3044472qtp.2 for ; Fri, 17 Mar 2023 12:14:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679080450; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AamE6KR/ddQnNWqRTVVKRaEBQ1DGGLoMHvX+dY45FBM=; b=iz2g6ibO2zI0VI/iI0WR+S77+7A0+A7kEfTjrdG3fN7U4qCNKVl1BYe9UpRrK8Jm8r PPKd/F7qiY//z+3WF9oi1TbVYjdPrhyllFcEowQRoSFDdMSDASJd0S12UPBnmPOuKmuf Ad9IUIORIl2frdPkIzrteMaTDxtSlGhRAQBInBO5qO2nYWaY0BxZmNumHIamQay6dHDI UYTOp86IKygJOjqtu1wgll77f0DkVJIxowu7kdhuikMod4+34AplN0mHGcOxVo1qTbtm q5H59CD85DCthEnzxd0JQhizkFrWvB6b1UyN/ekx3sPUE0tzHIaIoSYznU+zzblkfVQs 9feA== X-Gm-Message-State: AO0yUKWo27ktADapX/9O1rYmlqcFsd2EGg+2+TQviibYciMORJFY0vQE nE6jaZ61oweaL/dBHl5/Bw/Io6TynzYsPy5lKVwiIbsptzQdtFMy9ZKmXCPdPBMgSekC7eo6Wq3 4Emj2AtoU8iUePcfuPZHecIrVAZUvldYv57ZDsD+6qF9c3ng/5g== X-Received: by 2002:ac8:5c86:0:b0:3db:e078:2886 with SMTP id r6-20020ac85c86000000b003dbe0782886mr2665212qta.38.1679080450034; Fri, 17 Mar 2023 12:14:10 -0700 (PDT) X-Google-Smtp-Source: AK7set+GuRFgLCESq+7S19L7onsk8J0dnY5enskEiuq26eqPAkiUA3+pb0mgYKfjz/AFlv9Pq77Y/Q== X-Received: by 2002:ac8:5c86:0:b0:3db:e078:2886 with SMTP id r6-20020ac85c86000000b003dbe0782886mr2665189qta.38.1679080449738; Fri, 17 Mar 2023 12:14:09 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:45d5:1adf:440d:13bf]) by smtp.gmail.com with ESMTPSA id i4-20020a378604000000b0073b3316bbd0sm2231255qkd.29.2023.03.17.12.14.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Mar 2023 12:14:09 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal-OEM-5.14/Jammy-OEM-5.17][PATCH 1/1] netfilter: nf_tables: fix null deref due to zeroed list head Date: Fri, 17 Mar 2023 15:14:06 -0400 Message-Id: <20230317191406.39155-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230317191406.39155-1-yuxuan.luo@canonical.com> References: <20230317191406.39155-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Florian Westphal In nf_tables_updtable, if nf_tables_table_enable returns an error, nft_trans_destroy is called to free the transaction object. nft_trans_destroy() calls list_del(), but the transaction was never placed on a list -- the list head is all zeroes, this results in a null dereference: BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59 Call Trace: nft_trans_destroy+0x26/0x59 nf_tables_newtable+0x4bc/0x9bc [..] Its sane to assume that nft_trans_destroy() can be called on the transaction object returned by nft_trans_alloc(), so make sure the list head is initialised. Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table") Reported-by: mingi cho Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 580077855a40741cf511766129702d97ff02f4d9) CVE-2023-1095 Signed-off-by: Yuxuan Luo --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 4faffdd81d2dd..c2ccccc69a601 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -116,6 +116,7 @@ static struct nft_trans *nft_trans_alloc(struct nft_ctx *ctx, int msg_type, if (trans == NULL) return NULL; + INIT_LIST_HEAD(&trans->list); trans->msg_type = msg_type; trans->ctx = *ctx;