From patchwork Mon Dec 4 17:45:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1871656 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkWKv6LPNz23nk for ; Tue, 5 Dec 2023 04:45:55 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rAD0k-0006ND-G5; Mon, 04 Dec 2023 17:45:38 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rAD0f-0006Mi-B6 for kernel-team@lists.ubuntu.com; Mon, 04 Dec 2023 17:45:33 +0000 Received: from mail-qk1-f200.google.com (mail-qk1-f200.google.com [209.85.222.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 0DC4C3F18D for ; Mon, 4 Dec 2023 17:45:31 +0000 (UTC) Received: by mail-qk1-f200.google.com with SMTP id af79cd13be357-77dca1d6a08so681422385a.3 for ; Mon, 04 Dec 2023 09:45:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701711931; x=1702316731; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bCty0rFasaG0F7S9asxMAFxurfL/DIZ5vkldLX2G5SM=; b=E2v18ZkJd1gNp6KyqjNKCcvfDPAz2OVjYHVAcdGFqvs4OtYZsKbZd71oJx80ObRbae Xcv5Hlm/naA7dCoAbfa5V+8wHIeB9kIsSYfl+t+khQmorVH3mcHr+xkd2DGuvnB1jA5o qz6Ky2EGlYyb9AAlRboExQyrhwkvyjtHAlNXGbpyaYXanGVa6oYGJqy9gxCypoh0PVqT KlI2gLWQxQTbtR/2qHBBdlKGUsMVNEnMJQgNhgLCTV4vNQW9Y021rSeHNoQS6sheNTf5 ieUzTcGZTvdFIFXB0eqKVTh2SVwT5xq1RRZqABupjHqPzBuN+uIuYg7kMbAGVayEOeGA WZuQ== X-Gm-Message-State: AOJu0Yx1JoxExcwYTwYWlIIIaYEzgAfP5E2gmTACLp1JXcPbhI6S6oGR 2Y0C0C+0Q05Yr/7/kd2vWaWsJz1rDmHhOKZnPNOFOCgcL7yBJjCIMWhvLARsSoXNToVFjUIwzv/ gV94rjj9H2NfNdV2BzVPa7ROChWgg/TAhEz9qiHdxveIm+P2Ugw== X-Received: by 2002:a05:620a:8f08:b0:77d:9fde:3004 with SMTP id rh8-20020a05620a8f0800b0077d9fde3004mr3967722qkn.60.1701711930854; Mon, 04 Dec 2023 09:45:30 -0800 (PST) X-Google-Smtp-Source: AGHT+IEOn1mJV8bG/Sqvx3OnOStl4MtwAQDryF4pNSjPYDjd0UDvaYsfzE1ftV3mh9ijq0sL8geE+w== X-Received: by 2002:a05:620a:8f08:b0:77d:9fde:3004 with SMTP id rh8-20020a05620a8f0800b0077d9fde3004mr3967715qkn.60.1701711930592; Mon, 04 Dec 2023 09:45:30 -0800 (PST) Received: from smtp.gmail.com (104-218-69-19.dynamic.lnk.ne.allofiber.net. [104.218.69.19]) by smtp.gmail.com with ESMTPSA id h12-20020a05620a400c00b0077d71a7bea0sm4428214qko.39.2023.12.04.09.45.29 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 09:45:30 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Lunar][PATCH 1/2] nf_tables: fix NULL pointer dereference in nft_inner_init() Date: Mon, 4 Dec 2023 11:45:26 -0600 Message-Id: <20231204174527.16125-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231204174527.16125-1-bethany.jamison@canonical.com> References: <20231204174527.16125-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Xingyuan Mo We should check whether the NFTA_INNER_NUM netlink attribute is present before accessing it, otherwise a null pointer deference error will occur. Call Trace: dump_stack_lvl+0x4f/0x90 print_report+0x3f0/0x620 kasan_report+0xcd/0x110 __asan_load4+0x84/0xa0 nft_inner_init+0x128/0x2e0 nf_tables_newrule+0x813/0x1230 nfnetlink_rcv_batch+0xec3/0x1170 nfnetlink_rcv+0x1e4/0x220 netlink_unicast+0x34e/0x4b0 netlink_sendmsg+0x45c/0x7e0 __sys_sendto+0x355/0x370 __x64_sys_sendto+0x84/0xa0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") Signed-off-by: Xingyuan Mo Signed-off-by: Florian Westphal (cherry picked from commit 52177bbf19e6e9398375a148d2e13ed492b40b80) CVE-2023-5972 Signed-off-by: Bethany Jamison --- net/netfilter/nft_inner.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c index 28e2873ba24e..928312d01eb1 100644 --- a/net/netfilter/nft_inner.c +++ b/net/netfilter/nft_inner.c @@ -298,6 +298,7 @@ static int nft_inner_init(const struct nft_ctx *ctx, int err; if (!tb[NFTA_INNER_FLAGS] || + !tb[NFTA_INNER_NUM] || !tb[NFTA_INNER_HDRSIZE] || !tb[NFTA_INNER_TYPE] || !tb[NFTA_INNER_EXPR]) From patchwork Mon Dec 4 17:45:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1871654 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4SkWKv675Sz1ySh for ; Tue, 5 Dec 2023 04:45:55 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rAD0n-0006NP-Mj; Mon, 04 Dec 2023 17:45:41 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rAD0e-0006Mj-U3 for kernel-team@lists.ubuntu.com; Mon, 04 Dec 2023 17:45:33 +0000 Received: from mail-qk1-f199.google.com (mail-qk1-f199.google.com [209.85.222.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id A8EF83F193 for ; Mon, 4 Dec 2023 17:45:32 +0000 (UTC) Received: by mail-qk1-f199.google.com with SMTP id af79cd13be357-77f10001de7so114469385a.3 for ; Mon, 04 Dec 2023 09:45:32 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701711931; x=1702316731; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/3xVACa0n0rX6AIKRf/QuL/piVJAHRE4yaMbD36kHfs=; b=RfAqc8BhKQyYRWH59glECdtc3HSop/Uv/Kc5XocEK280N6T895XSm8IQU4AqPC+ruy a0lOgFuvZtiI+oEho4NTbeGPjL80c7x8jl6na/DEznZMUZWelJ+MgYlc7cdeYpoHQPux +9dI0RUS1O03x0uHYQ7bpEzwPNZIpSafRSeYaWIuk/cBQlb/h4SlBu765SXdPqLDm9Wy fH4yUKUXKKtwnPQzEplrBgZ6o6udypjDXyklow0kN+3jLZgNTFGZ8I049hdKePEn5tmj ojTPKl/qvBMvaVC7kEidWpZbQzf+ba3AE5cAmxVRH7he5/OLH2nsjjxwAOej84WHToRb Spcw== X-Gm-Message-State: AOJu0YyJ4wpIQcoGE3mwV0UcP6PIRAeIdc0fHjICp9OD0V+vZMtETUZZ 0WQp63D6Z1y3ShfR2SO0qOTvbXWNmbLJ8Ut8EJizl1zPraPbiLucYGswoCPwR6aj1XzBqk+a1td aEEauXsv2HaMp2M8fqm4nP+lKZExXQrXdZoyHRSD6GuG9SjbB3g== X-Received: by 2002:a05:620a:8314:b0:77e:fba3:81c7 with SMTP id pa20-20020a05620a831400b0077efba381c7mr5053454qkn.93.1701711931654; Mon, 04 Dec 2023 09:45:31 -0800 (PST) X-Google-Smtp-Source: AGHT+IESTIlNPwWl39p0QJj1fEu4YgsnqCflrZ9lX6gzv9OGHwsnsRBa95a5rOzuuSsSOV0g25k0RQ== X-Received: by 2002:a05:620a:8314:b0:77e:fba3:81c7 with SMTP id pa20-20020a05620a831400b0077efba381c7mr5053448qkn.93.1701711931419; Mon, 04 Dec 2023 09:45:31 -0800 (PST) Received: from smtp.gmail.com (104-218-69-19.dynamic.lnk.ne.allofiber.net. [104.218.69.19]) by smtp.gmail.com with ESMTPSA id h12-20020a05620a400c00b0077d71a7bea0sm4428214qko.39.2023.12.04.09.45.30 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Dec 2023 09:45:30 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Mantic][Lunar][PATCH 2/2] nf_tables: fix NULL pointer dereference in nft_expr_inner_parse() Date: Mon, 4 Dec 2023 11:45:27 -0600 Message-Id: <20231204174527.16125-3-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231204174527.16125-1-bethany.jamison@canonical.com> References: <20231204174527.16125-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Xingyuan Mo We should check whether the NFTA_EXPR_NAME netlink attribute is present before accessing it, otherwise a null pointer deference error will occur. Call Trace: dump_stack_lvl+0x4f/0x90 print_report+0x3f0/0x620 kasan_report+0xcd/0x110 __asan_load2+0x7d/0xa0 nla_strcmp+0x2f/0x90 __nft_expr_type_get+0x41/0xb0 nft_expr_inner_parse+0xe3/0x200 nft_inner_init+0x1be/0x2e0 nf_tables_newrule+0x813/0x1230 nfnetlink_rcv_batch+0xec3/0x1170 nfnetlink_rcv+0x1e4/0x220 netlink_unicast+0x34e/0x4b0 netlink_sendmsg+0x45c/0x7e0 __sys_sendto+0x355/0x370 __x64_sys_sendto+0x84/0xa0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x6e/0xd8 Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching") Signed-off-by: Xingyuan Mo Signed-off-by: Florian Westphal (cherry picked from commit 505ce0630ad5d31185695f8a29dde8d29f28faa7) CVE-2023-5972 Signed-off-by: Bethany Jamison --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 976a9b763b9b..fd8c9389fb8d 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3166,7 +3166,7 @@ int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla, if (err < 0) return err; - if (!tb[NFTA_EXPR_DATA]) + if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME]) return -EINVAL; type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);