From patchwork Mon Jul 3 22:20:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1802976 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=V/AlhxxQ; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4Qw0kc4MvQz20bK for ; Tue, 4 Jul 2023 08:21:11 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qGRuq-0004xR-3Q; Mon, 03 Jul 2023 22:21:04 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qGRuo-0004x0-P9 for kernel-team@lists.ubuntu.com; Mon, 03 Jul 2023 22:21:02 +0000 Received: from mail-qt1-f199.google.com (mail-qt1-f199.google.com [209.85.160.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 79D3F3F0F7 for ; Mon, 3 Jul 2023 22:21:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1688422862; bh=dcHdPVTFSiqo+Thg/Lm30m3Fb5nmyz9Nk/DpQHdqAn4=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=V/AlhxxQcmO3C/m8e8YHTxp3e40ZM0SGdF/mRWbp5Z9tO7fctVCU56mbO2Y+Mf/JW lQR0CSN2urRATIeieutE+UZk+n9oPIAc0B5AZWSm6h1AUjdy00wCS6UfW+94VbgZrB aehhKEEAyfQmJswt27KtIl+mno7e8c83fWRcl6NZ54RXtVil+5tho3LBfWPvzv8dAc F3nVtFd1iJuTEOATN4fH9hdI1eamXD5c9LGEt+ypGEOaN4adFo3S2Km2Snzvq4LHi0 JjOm9NXsFjCx/ZM8s8Xj+J7Xg4zLP+6n45ZS02Dk4Fs8F64fRZfXATPaIK3VKRNnCv lwJ/+X2BDFHQg== Received: by mail-qt1-f199.google.com with SMTP id d75a77b69052e-40261479174so57648561cf.3 for ; Mon, 03 Jul 2023 15:21:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1688422861; x=1691014861; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dcHdPVTFSiqo+Thg/Lm30m3Fb5nmyz9Nk/DpQHdqAn4=; b=hhh2vYY6ioKsHVfn/++nyC8PAVFVVW45yEsjRTOE2cyA0UHLq6p7ZsYFYJJmkF51gY Fl7r7oNTzopwbkS1Pn5BVQursjA0RwpcxOY5ifzf58hzzfxLWL/o08aIpq7V/8McqBjG +DUvobzpXIY8ePQL68S7e3omw44eujQVBzrTceGaUmGfel1/uM2rlef73ZOHNN2VdZky HpeDN5XavVB/dFJ+IcdXpLMsDHL3FxQGMDv18ONHPRZBiKMw7uplLJG69lJwmcW3nAG9 0oGPfaOwuBvojG0a2HHz3gskO+Y89NK2LWPaHde+DfLI9QbTdql+FvuvJlSeKJzQDJjz nUrA== X-Gm-Message-State: AC+VfDzUbwjm6D+ZUWb9ACBQFJL69SY7z8S4g48Owyypo1Tr7FOoPxBL fSbyXHbpyyZjnxdGVzFDxTYe0uHzVmm+a3isIh/Kymb6y/OjVbKsJ11WHKv7g9bd25zMG3DRhUD KoTApjCR9tInLUy+nReWfJmUA438M3b6szrzetwfz05ZM/l4tNQ== X-Received: by 2002:ac8:5a95:0:b0:402:cc2c:d980 with SMTP id c21-20020ac85a95000000b00402cc2cd980mr15230270qtc.41.1688422861202; Mon, 03 Jul 2023 15:21:01 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5ROus+xEM3Mwylz9sOP+VlCmZAD+R+Ku3kF8SUt+RVuWvD1kdlidfFPoiVhUzCRqUpGnu3Mg== X-Received: by 2002:ac8:5a95:0:b0:402:cc2c:d980 with SMTP id c21-20020ac85a95000000b00402cc2cd980mr15230258qtc.41.1688422860911; Mon, 03 Jul 2023 15:21:00 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:c061:2fb0:5527:573]) by smtp.gmail.com with ESMTPSA id fb6-20020a05622a480600b003ff1f891206sm7751075qtb.61.2023.07.03.15.21.00 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 03 Jul 2023 15:21:00 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][J/K/L][PATCH 1/1] netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE Date: Mon, 3 Jul 2023 18:20:57 -0400 Message-Id: <20230703222057.88362-3-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230703222057.88362-1-yuxuan.luo@canonical.com> References: <20230703222057.88362-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso In case of error when adding a new rule that refers to an anonymous set, deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. Thus, the lookup expression marks anonymous sets as inactive in the next generation to ensure it is not reachable in this transaction anymore and decrement the set refcount as introduced by c1592a89942e ("netfilter: nf_tables: deactivate anonymous set from preparation phase"). The abort step takes care of undoing the anonymous set. This is also consistent with rule deletion, where NFT_TRANS_PREPARE is used. Note that this error path is exercised in the preparation step of the commit protocol. This patch replaces nf_tables_rule_release() by the deactivate and destroy calls, this time with NFT_TRANS_PREPARE. Due to this incorrect error handling, it is possible to access a dangling pointer to the anonymous set that remains in the transaction list. [1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 [1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 [1009.379128] Call Trace: [1009.379132] [1009.379135] dump_stack_lvl+0x33/0x50 [1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379191] print_address_description.constprop.0+0x27/0x300 [1009.379201] kasan_report+0x107/0x120 [1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] [1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] [1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] [1009.379441] ? kasan_unpoison+0x23/0x50 [1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] [1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] [1009.379485] ? __alloc_skb+0xb8/0x1e0 [1009.379493] ? __alloc_skb+0xb8/0x1e0 [1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [1009.379509] ? unwind_get_return_address+0x2a/0x40 [1009.379517] ? write_profile+0xc0/0xc0 [1009.379524] ? avc_lookup+0x8f/0xc0 [1009.379532] ? __rcu_read_unlock+0x43/0x60 Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 1240eb93f0616b21c675416516ff3d74798fdc97) CVE-2023-3390 Signed-off-by: Yuxuan Luo --- net/netfilter/nf_tables_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 7237162fbcc36..2412ceaff6c4e 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3717,7 +3717,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, if (flow) nft_flow_rule_destroy(flow); err_release_rule: - nf_tables_rule_release(&ctx, rule); + nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); + nf_tables_rule_destroy(&ctx, rule); err_release_expr: for (i = 0; i < n; i++) { if (expr_info[i].ops) {