From patchwork Sat Sep 16 00:48:16 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1835309
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RnXXf0R5Rz1yhP
	for <incoming@patchwork.ozlabs.org>; Sat, 16 Sep 2023 10:50:26 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qhJVj-0006vg-HF; Sat, 16 Sep 2023 00:50:12 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <cengiz.can@canonical.com>)
 id 1qhJV8-0006ab-GR
 for kernel-team@lists.ubuntu.com; Sat, 16 Sep 2023 00:49:34 +0000
Received: from mail-pl1-f199.google.com (mail-pl1-f199.google.com
 [209.85.214.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 46F6E3F665
 for <kernel-team@lists.ubuntu.com>; Sat, 16 Sep 2023 00:49:34 +0000 (UTC)
Received: by mail-pl1-f199.google.com with SMTP id
 d9443c01a7336-1c456f548c4so80655ad.0
 for <kernel-team@lists.ubuntu.com>; Fri, 15 Sep 2023 17:49:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694825372; x=1695430172;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=H/3EeoPwDKPe4TwE9xMgS4/wNPvx0EhvHbk5nXNX7RU=;
 b=IQm3dANR7vXUGJM7hqlhqIy5+Xt3DyAlhLXwtDDLV/qonxku0wWt+pXxJRgasJK7HO
 aHK8P3hOMHqusnxSdx/6Sd2gsFJvudDAD2l8/XK9Jfln7hWGJpzTU4hh/LTNCWelSSFc
 egqReGrHagzQBmIDUDXSCuZmbTdk8I9rICOWtSwF16IWbY7gUfS+44Kn5FDw/p2iMWEm
 8lGXD36Vvw0eIoeEIdkmr/NfjZSOMiOHjUu0StNhbeOqt7AmJWEgF/vlrMk81mt+uTgT
 +4ECqR06U13ikutWuGGS4DvxqE4Xeo1t+od596vKpdCA8en2FNK3quy1SwyoKGwMZFPK
 8ACQ==
X-Gm-Message-State: AOJu0YwuEneKBr+TEprlgMmC4Ag0pbfNdAWGu+GeC5kBeNnnW14nD44w
 PiZKj8HmpetUtr45TNiVQQdOkbPr/ds3wZtyWOqZ1TmBnzuLDYmoyNqg/rhldUFzIW6MqX9iYLS
 POjF0UHJ17kwErXUoDDbUOLdYMqjeI0iXIFseQseZuaAQl8wzgKGG
X-Received: by 2002:a17:902:788a:b0:1c0:774d:9342 with SMTP id
 q10-20020a170902788a00b001c0774d9342mr2629691pll.25.1694825372616;
 Fri, 15 Sep 2023 17:49:32 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IGwXeuuVZMUccc/AXbaIbbNIgFzBDXgzj6JE88Nw2d7CSyYM+2he3XG2UAqEDQrDNeFAaYIxA==
X-Received: by 2002:a17:902:788a:b0:1c0:774d:9342 with SMTP id
 q10-20020a170902788a00b001c0774d9342mr2629685pll.25.1694825372342;
 Fri, 15 Sep 2023 17:49:32 -0700 (PDT)
Received: from localhost (uk.sesame.canonical.com. [185.125.190.60])
 by smtp.gmail.com with ESMTPSA id
 jo5-20020a170903054500b001bf6ea340b3sm4054159plb.116.2023.09.15.17.49.30
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 15 Sep 2023 17:49:32 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-6.0] netfilter: nf_tables: do not set up extensions for end
 interval
Date: Sat, 16 Sep 2023 03:48:16 +0300
Message-Id: <20230916004839.706452-7-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230916004839.706452-1-cengiz.can@canonical.com>
References: <20230916004839.706452-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

Elements with an end interval flag set on do not store extensions. The
global set definition is currently setting on the timeout and stateful
expression for end interval elements.

This leads to skipping end interval elements from the set->ops->walk()
path as the expired check bogusly reports true.

Moreover, do not set up stateful expressions for elements with end
interval flag set on since this is never used.

Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition")
Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 33c7aba0b4ffd6d7cdab862a034eb582a5120a38)
CVE-2023-4244
[cengizcan: prerequisite commit]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 net/netfilter/nf_tables_api.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0a858ca7a7c4..a0f58e1f9308 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6114,7 +6114,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 					    &timeout);
 		if (err)
 			return err;
-	} else if (set->flags & NFT_SET_TIMEOUT) {
+	} else if (set->flags & NFT_SET_TIMEOUT &&
+		   !(flags & NFT_SET_ELEM_INTERVAL_END)) {
 		timeout = set->timeout;
 	}
 
@@ -6180,7 +6181,8 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
 			err = -EOPNOTSUPP;
 			goto err_set_elem_expr;
 		}
-	} else if (set->num_exprs > 0) {
+	} else if (set->num_exprs > 0 &&
+		   !(flags & NFT_SET_ELEM_INTERVAL_END)) {
 		err = nft_set_elem_expr_clone(ctx, set, expr_array);
 		if (err < 0)
 			goto err_set_elem_expr_clone;