From patchwork Fri Jun 28 16:38:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1954066 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9h2z6yNVz20b0 for ; Sat, 29 Jun 2024 02:38:51 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sNEcC-0004qY-Gm; Fri, 28 Jun 2024 16:38:24 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sNEcA-0004q2-QF for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 16:38:22 +0000 Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 9FF4B3F5B0 for ; Fri, 28 Jun 2024 16:38:21 +0000 (UTC) Received: by mail-io1-f71.google.com with SMTP id ca18e2360f4ac-7f12ee1959cso83974939f.1 for ; Fri, 28 Jun 2024 09:38:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719592700; x=1720197500; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=q09y7vLlmEDdpxIb5+7D4NjH8EbnIvvdWN4ba+WVmlg=; b=hP904sgKpLlBjrHPpDYL7z8THnUhEjqrCchDdTZ7kPVIbf7ZCW205QvCPzHs+w+joW z+UkRa6K5UbgsHtk5vJjGYnZ/T/mQjb3mAVQ4KtmZkV0Aw65OCTsWBxZw2p6zrhUO0rn Z3WkFHifleLP750RspwaL/JdmEQiisl9yn6OoLpb8YEiRklKXNIJwML+rUhnlQQG1Ovh qPg0liF0sAWpjobIZkY5F3JzBkIQrVCw4Q7UbDnDHajSkC+4AGEdokq4JBSaPa+F6aDU GWXFAnMfAUuJMs5guZE0CQS7NzSqSnWy76fJ1lo7puBIJGd3/FlMOXifqiCiYYDXbIRy KLHQ== X-Gm-Message-State: AOJu0Yyf8Imde4mEq/N7+tzvoakYjMPkHbA+7bFoiVGPeWrI7fEhoix0 f4h61bhQMkg9UK4LHYLKqBeUXGIfGh8kGDxrXkt4cwfsGq5saNc8YeuHpCyJarWz9afcvhb02Gw XXDMmdgzdJK+cLeP6nSCX0w0NwBW+zWOr6JTsyqNgshMMO7PZfO79/iTv5HodHIw1tcv8P9v1j5 9nnTFBvOGZdQ== X-Received: by 2002:a05:6602:670e:b0:7f6:1cb2:8027 with SMTP id ca18e2360f4ac-7f61cb280abmr346584039f.17.1719592700273; Fri, 28 Jun 2024 09:38:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGHbKQ4wH/wLiUor/S6OSYhLPEGSM3WICVeWvCIFIGKbphLB3FWAQZEB99KbL/cCJS6isr2KQ== X-Received: by 2002:a05:6602:670e:b0:7f6:1cb2:8027 with SMTP id ca18e2360f4ac-7f61cb280abmr346582239f.17.1719592699928; Fri, 28 Jun 2024 09:38:19 -0700 (PDT) Received: from smtp.gmail.com (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4bb73f90d03sm603191173.95.2024.06.28.09.38.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jun 2024 09:38:19 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/2] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Date: Fri, 28 Jun 2024 11:38:17 -0500 Message-Id: <20240628163818.18631-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240628163818.18631-1-bethany.jamison@canonical.com> References: <20240628163818.18631-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso Bail out on using the tunnel dst template from other than netdev family. Add the infrastructure to check for the family in objects. Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") Signed-off-by: Pablo Neira Ayuso (backported from commit 776d451648443f9884be4a1b4e38e8faf1c621f9) [bjamison: context conflict from neighboring line, added fix as is] CVE-2024-27019 Signed-off-by: Bethany Jamison --- include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c | 14 +++++++++----- net/netfilter/nft_tunnel.c | 1 + 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index b746a77087bd4..e13ad037ae1b3 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1098,6 +1098,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table, * @type: stateful object numeric type * @owner: module owner * @maxattr: maximum netlink attribute + * @family: address family for AF-specific object types * @policy: netlink attribute policy */ struct nft_object_type { @@ -1107,6 +1108,7 @@ struct nft_object_type { struct list_head list; u32 type; unsigned int maxattr; + u8 family; struct module *owner; const struct nla_policy *policy; }; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index e8f8db57939f5..6db4257b6e3e7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5465,11 +5465,15 @@ static int nft_object_dump(struct sk_buff *skb, unsigned int attr, return -1; } -static const struct nft_object_type *__nft_obj_type_get(u32 objtype) +static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) { const struct nft_object_type *type; list_for_each_entry(type, &nf_tables_objects, list) { + if (type->family != NFPROTO_UNSPEC && + type->family != family) + continue; + if (objtype == type->type) return type; } @@ -5477,11 +5481,11 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype) } static const struct nft_object_type * -nft_obj_type_get(struct net *net, u32 objtype) +nft_obj_type_get(struct net *net, u32 objtype, u8 family) { const struct nft_object_type *type; - type = __nft_obj_type_get(objtype); + type = __nft_obj_type_get(objtype, family); if (type != NULL && try_module_get(type->owner)) return type; @@ -5574,7 +5578,7 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, if (nlh->nlmsg_flags & NLM_F_REPLACE) return -EOPNOTSUPP; - type = __nft_obj_type_get(objtype); + type = __nft_obj_type_get(objtype, family); nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); @@ -5585,7 +5589,7 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, if (!nft_use_inc(&table->use)) return -EMFILE; - type = nft_obj_type_get(net, objtype); + type = nft_obj_type_get(net, objtype, family); if (IS_ERR(type)) { err = PTR_ERR(type); goto err_type; diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index b2070f9f98ffa..5059dfd68ffe4 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -573,6 +573,7 @@ static const struct nft_object_ops nft_tunnel_obj_ops = { static struct nft_object_type nft_tunnel_obj_type __read_mostly = { .type = NFT_OBJECT_TUNNEL, + .family = NFPROTO_NETDEV, .ops = &nft_tunnel_obj_ops, .maxattr = NFTA_TUNNEL_KEY_MAX, .policy = nft_tunnel_key_policy,