From patchwork Wed Jul 6 15:24:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1653045 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ABq9csh8; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4LdNfM5C0Rz9ryY for ; Thu, 7 Jul 2022 01:25:47 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1o96uI-000462-9l; Wed, 06 Jul 2022 15:25:38 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1o96uG-000453-Bf for kernel-team@lists.ubuntu.com; Wed, 06 Jul 2022 15:25:36 +0000 Received: from mail-wr1-f72.google.com (mail-wr1-f72.google.com [209.85.221.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 197CA3F170 for ; Wed, 6 Jul 2022 15:25:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1657121136; bh=5EgJyNRxjmsiR7q1ZIdaMxqhKAHHK9Iq4ztZdKnU83s=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ABq9csh8iG5TAwGzAUKiPzPyBzu1mhf4qU5bCzHpuici7bQwArYeQezBv49IAhU+9 uYxbkBD7vRxUOuVs1LElab/6PFCjP76hd4vzoC0M3GtXf41ZtXGQKwl1zMAVjsplAD Jj7sPt/XPo+HOuWdE7hyYlwmw3o9lCaQH2tyot+FXhpiWhH3Ev9XuGT4OOc6AoWnQE a48gtSODAXxBPUubDQT+RUcvNHEbTplOrT1xHXemYEqGVqMOFJsmg/fW4SZdAt/dRL Ta+sk2XF1YH5yHmTI3013Rxiic52Qvz4uyp46fqcPfQGLyxX63vK6PNH4576DJv7yC QF1dXPgeNQKrA== Received: by mail-wr1-f72.google.com with SMTP id j23-20020adfb317000000b0021d7986c07eso791485wrd.2 for ; Wed, 06 Jul 2022 08:25:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=5EgJyNRxjmsiR7q1ZIdaMxqhKAHHK9Iq4ztZdKnU83s=; b=Bd9X/bxYvOJebAY6xZ40HkLgdH6FVROvwfznxeZrUC2HWVTW0uqm68JJ2MgkOOSjO/ SwSkY+6atlUJv5d3ClKNpCxaVoh9fx5PIfJW/hlnQwKB4SRTz48Lwv+yMsnCVJkmeSMA NNrcW+/67Rrx78Wp3dBpjCANKvIrKQn+ZjxOScJhlUG5CCztwJ+Akd8Ud8YHIHpEPJ7i vuOuc4uCT7vCblmCIw8jjUccQ2N22jToliEAO9s1DFzXJRbLUDao9nNysuufHj1A3UDz 6rutCUR2LjPe8CQxgTR4oiXLQ2GDtO9vEa56TN5DUnvvX7AMSq2I8SBIpnEAYJ2Zcp7L yqbA== X-Gm-Message-State: AJIora+R5vSRr1pqo6fo232P3hAjUafUMlz21O8CEuEKPP7e0RGDwwyh cVQdT5tmYA87lmiBe2xp970HVDGrz/OVadxifaQ2lRwTRacb3Rtr1+Djnjo5HAQsceG0nY7vC6R jxepf1v3NAWgPme5EGpfUtI7jiEA+0dC3UIlK9/amAA== X-Received: by 2002:adf:f646:0:b0:21d:7000:95b1 with SMTP id x6-20020adff646000000b0021d700095b1mr11032632wrp.486.1657121135596; Wed, 06 Jul 2022 08:25:35 -0700 (PDT) X-Google-Smtp-Source: AGRyM1uHjzAQv6OdWPi4yLaDMz4DE/teeDxFVOhVti0sjkQ0q/fY7L2A3M5d7I8Hfv7GPo4FUr4E5Q== X-Received: by 2002:adf:f646:0:b0:21d:7000:95b1 with SMTP id x6-20020adff646000000b0021d700095b1mr11032621wrp.486.1657121135419; Wed, 06 Jul 2022 08:25:35 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c03c]) by smtp.gmail.com with ESMTPSA id m9-20020a05600c3b0900b003a04d19dab3sm25309603wms.3.2022.07.06.08.25.34 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Jul 2022 08:25:35 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy][PATCH 1/1] netfilter: nf_tables: stricter validation of element data Date: Wed, 6 Jul 2022 18:24:53 +0300 Message-Id: <20220706152451.179947-3-cengiz.can@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220706152451.179947-1-cengiz.can@canonical.com> References: <20220706152451.179947-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso Make sure element data type and length do not mismatch the one specified by the set declaration. Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data") Reported-by: Hugues ANGUELKOV Signed-off-by: Pablo Neira Ayuso CVE-2022-34918 (cherry picked from commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 net.git) Signed-off-by: Cengiz Can --- net/netfilter/nf_tables_api.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index ee4edebe6124f..1ae959d6da48b 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5103,13 +5103,20 @@ static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set, struct nft_data *data, struct nlattr *attr) { + u32 dtype; int err; err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr); if (err < 0) return err; - if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) { + if (set->dtype == NFT_DATA_VERDICT) + dtype = NFT_DATA_VERDICT; + else + dtype = NFT_DATA_VALUE; + + if (dtype != desc->type || + set->dlen != desc->len) { nft_data_release(data, desc->type); return -EINVAL; }