From patchwork Thu Aug 3 18:37:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1816638 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=aarvlqef; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RGyJV626Sz1yds for ; Fri, 4 Aug 2023 04:37:46 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qRdCf-0007HF-2V; Thu, 03 Aug 2023 18:37:41 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qRdCd-0007Ee-Ir for kernel-team@lists.ubuntu.com; Thu, 03 Aug 2023 18:37:39 +0000 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 94B873F71C for ; Thu, 3 Aug 2023 18:37:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1691087858; bh=dcHdPVTFSiqo+Thg/Lm30m3Fb5nmyz9Nk/DpQHdqAn4=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=aarvlqefL5kqozWImk5SyeVo+8irFdZKS8HHZ/6hhU0NHsb1uYWfMU1PLXhEtB4Ud ycqbTvxMATRwqJ0S+IO34gSvJ3d6UhMRz/ewTSwkb0L7EGJeAsEIVoxHcVkBsNGkLq eH78Vg5b8ZH8jUm/fDTHn1PIxv0WWJ6GWio9WywGD2vUboc9exkiJymy9TWFEF79Mb UWe+GMNKBNgnGNWHuzJs3ZpkfRW8l8jj/HyyI34ScgOOMj2Me1glxJDhQo0ExkC5n/ szUYmW43zIBudDS4xAfEVhDL0RfWftfbPtgZwPwbHLbgEXUe7+KIYWIwKu/tq55pBC eie1pqWmOpX6Q== Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-76c93466e4cso126241985a.3 for ; Thu, 03 Aug 2023 11:37:38 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691087857; x=1691692657; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dcHdPVTFSiqo+Thg/Lm30m3Fb5nmyz9Nk/DpQHdqAn4=; b=H85Syi8dD2panETx4tgzu3TyEcHZMXp2R24ZIBfCX6isfQ2RiBUm1ylGRAguFGQTxW 1sOrGQozlugPem/YftekwUAJ+WBsx+4oRYlnHn2eehsZaURhgzoQ9seITJiqhXnVyAtZ PWwwtWhuOgWkparQgdi/BqA0TnAvIsQ3z8Y+/H+C+k2VwyRICxs4DxbJ9R75o0EnANfq kBzIeFCyLRDWGZLIfx6g8f/Vepwa9GREa27hCYTN1L3+0kSMAuSHknDQd/NkzhG3/3BK U+a+nJWDV6GS9AeiRo7Rax2Gm3rsmFE96or+rvaSY75961Nme4ZN4bu7h5t1QfN+Yb7n BvfA== X-Gm-Message-State: ABy/qLb9nKfTfWE9EdNNiPsUgHPXZdF3CRylnA5ZvhW0NuFuix7BdMd6 zpgng6oI+YaKOfmyXC25y1SZoDIgSIX28qf7ssevdLc1nG3H2qagFd4yKSWxJMCqCnLdECGCIux ajbsWUmhAGzm7noLvuES2id/e9AtKYP5mJNoLinhJ0tt/kNa1Fw== X-Received: by 2002:a05:620a:f15:b0:76c:5715:b45f with SMTP id v21-20020a05620a0f1500b0076c5715b45fmr21376910qkl.14.1691087857034; Thu, 03 Aug 2023 11:37:37 -0700 (PDT) X-Google-Smtp-Source: APBJJlH8ARq3C5+6ZMuADD6gna1zq2vW1GW3aw8fckD6x47aP55m/p1unD8jC9AGrrivW26PpT7jbw== X-Received: by 2002:a05:620a:f15:b0:76c:5715:b45f with SMTP id v21-20020a05620a0f1500b0076c5715b45fmr21376902qkl.14.1691087856745; Thu, 03 Aug 2023 11:37:36 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:4cbe:df6f:d612:fbf3]) by smtp.gmail.com with ESMTPSA id p14-20020ae9f30e000000b0076ca401d8c7sm95626qkg.111.2023.08.03.11.37.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Aug 2023 11:37:36 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy-OEM-5.17/OEM-6.0][PATCH 1/1] netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE Date: Thu, 3 Aug 2023 14:37:33 -0400 Message-Id: <20230803183733.23835-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230803183733.23835-1-yuxuan.luo@canonical.com> References: <20230803183733.23835-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso In case of error when adding a new rule that refers to an anonymous set, deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. Thus, the lookup expression marks anonymous sets as inactive in the next generation to ensure it is not reachable in this transaction anymore and decrement the set refcount as introduced by c1592a89942e ("netfilter: nf_tables: deactivate anonymous set from preparation phase"). The abort step takes care of undoing the anonymous set. This is also consistent with rule deletion, where NFT_TRANS_PREPARE is used. Note that this error path is exercised in the preparation step of the commit protocol. This patch replaces nf_tables_rule_release() by the deactivate and destroy calls, this time with NFT_TRANS_PREPARE. Due to this incorrect error handling, it is possible to access a dangling pointer to the anonymous set that remains in the transaction list. [1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 [1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 [1009.379128] Call Trace: [1009.379132] [1009.379135] dump_stack_lvl+0x33/0x50 [1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379191] print_address_description.constprop.0+0x27/0x300 [1009.379201] kasan_report+0x107/0x120 [1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] [1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] [1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] [1009.379441] ? kasan_unpoison+0x23/0x50 [1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] [1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] [1009.379485] ? __alloc_skb+0xb8/0x1e0 [1009.379493] ? __alloc_skb+0xb8/0x1e0 [1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [1009.379509] ? unwind_get_return_address+0x2a/0x40 [1009.379517] ? write_profile+0xc0/0xc0 [1009.379524] ? avc_lookup+0x8f/0xc0 [1009.379532] ? __rcu_read_unlock+0x43/0x60 Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 1240eb93f0616b21c675416516ff3d74798fdc97) CVE-2023-3390 Signed-off-by: Yuxuan Luo --- net/netfilter/nf_tables_api.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 7237162fbcc36..2412ceaff6c4e 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3717,7 +3717,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, if (flow) nft_flow_rule_destroy(flow); err_release_rule: - nf_tables_rule_release(&ctx, rule); + nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); + nf_tables_rule_destroy(&ctx, rule); err_release_expr: for (i = 0; i < n; i++) { if (expr_info[i].ops) {