From patchwork Fri Jun 28 16:38:17 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1954066 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9h2z6yNVz20b0 for ; Sat, 29 Jun 2024 02:38:51 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sNEcC-0004qY-Gm; Fri, 28 Jun 2024 16:38:24 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sNEcA-0004q2-QF for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 16:38:22 +0000 Received: from mail-io1-f71.google.com (mail-io1-f71.google.com [209.85.166.71]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 9FF4B3F5B0 for ; Fri, 28 Jun 2024 16:38:21 +0000 (UTC) Received: by mail-io1-f71.google.com with SMTP id ca18e2360f4ac-7f12ee1959cso83974939f.1 for ; Fri, 28 Jun 2024 09:38:21 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719592700; x=1720197500; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=q09y7vLlmEDdpxIb5+7D4NjH8EbnIvvdWN4ba+WVmlg=; b=hP904sgKpLlBjrHPpDYL7z8THnUhEjqrCchDdTZ7kPVIbf7ZCW205QvCPzHs+w+joW z+UkRa6K5UbgsHtk5vJjGYnZ/T/mQjb3mAVQ4KtmZkV0Aw65OCTsWBxZw2p6zrhUO0rn Z3WkFHifleLP750RspwaL/JdmEQiisl9yn6OoLpb8YEiRklKXNIJwML+rUhnlQQG1Ovh qPg0liF0sAWpjobIZkY5F3JzBkIQrVCw4Q7UbDnDHajSkC+4AGEdokq4JBSaPa+F6aDU GWXFAnMfAUuJMs5guZE0CQS7NzSqSnWy76fJ1lo7puBIJGd3/FlMOXifqiCiYYDXbIRy KLHQ== X-Gm-Message-State: AOJu0Yyf8Imde4mEq/N7+tzvoakYjMPkHbA+7bFoiVGPeWrI7fEhoix0 f4h61bhQMkg9UK4LHYLKqBeUXGIfGh8kGDxrXkt4cwfsGq5saNc8YeuHpCyJarWz9afcvhb02Gw XXDMmdgzdJK+cLeP6nSCX0w0NwBW+zWOr6JTsyqNgshMMO7PZfO79/iTv5HodHIw1tcv8P9v1j5 9nnTFBvOGZdQ== X-Received: by 2002:a05:6602:670e:b0:7f6:1cb2:8027 with SMTP id ca18e2360f4ac-7f61cb280abmr346584039f.17.1719592700273; Fri, 28 Jun 2024 09:38:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGHbKQ4wH/wLiUor/S6OSYhLPEGSM3WICVeWvCIFIGKbphLB3FWAQZEB99KbL/cCJS6isr2KQ== X-Received: by 2002:a05:6602:670e:b0:7f6:1cb2:8027 with SMTP id ca18e2360f4ac-7f61cb280abmr346582239f.17.1719592699928; Fri, 28 Jun 2024 09:38:19 -0700 (PDT) Received: from smtp.gmail.com (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4bb73f90d03sm603191173.95.2024.06.28.09.38.19 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jun 2024 09:38:19 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 1/2] netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV Date: Fri, 28 Jun 2024 11:38:17 -0500 Message-Id: <20240628163818.18631-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240628163818.18631-1-bethany.jamison@canonical.com> References: <20240628163818.18631-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso Bail out on using the tunnel dst template from other than netdev family. Add the infrastructure to check for the family in objects. Fixes: af308b94a2a4 ("netfilter: nf_tables: add tunnel support") Signed-off-by: Pablo Neira Ayuso (backported from commit 776d451648443f9884be4a1b4e38e8faf1c621f9) [bjamison: context conflict from neighboring line, added fix as is] CVE-2024-27019 Signed-off-by: Bethany Jamison --- include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/nf_tables_api.c | 14 +++++++++----- net/netfilter/nft_tunnel.c | 1 + 3 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index b746a77087bd4..e13ad037ae1b3 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1098,6 +1098,7 @@ void nft_obj_notify(struct net *net, const struct nft_table *table, * @type: stateful object numeric type * @owner: module owner * @maxattr: maximum netlink attribute + * @family: address family for AF-specific object types * @policy: netlink attribute policy */ struct nft_object_type { @@ -1107,6 +1108,7 @@ struct nft_object_type { struct list_head list; u32 type; unsigned int maxattr; + u8 family; struct module *owner; const struct nla_policy *policy; }; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index e8f8db57939f5..6db4257b6e3e7 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5465,11 +5465,15 @@ static int nft_object_dump(struct sk_buff *skb, unsigned int attr, return -1; } -static const struct nft_object_type *__nft_obj_type_get(u32 objtype) +static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) { const struct nft_object_type *type; list_for_each_entry(type, &nf_tables_objects, list) { + if (type->family != NFPROTO_UNSPEC && + type->family != family) + continue; + if (objtype == type->type) return type; } @@ -5477,11 +5481,11 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype) } static const struct nft_object_type * -nft_obj_type_get(struct net *net, u32 objtype) +nft_obj_type_get(struct net *net, u32 objtype, u8 family) { const struct nft_object_type *type; - type = __nft_obj_type_get(objtype); + type = __nft_obj_type_get(objtype, family); if (type != NULL && try_module_get(type->owner)) return type; @@ -5574,7 +5578,7 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, if (nlh->nlmsg_flags & NLM_F_REPLACE) return -EOPNOTSUPP; - type = __nft_obj_type_get(objtype); + type = __nft_obj_type_get(objtype, family); nft_ctx_init(&ctx, net, skb, nlh, family, table, NULL, nla); return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); @@ -5585,7 +5589,7 @@ static int nf_tables_newobj(struct net *net, struct sock *nlsk, if (!nft_use_inc(&table->use)) return -EMFILE; - type = nft_obj_type_get(net, objtype); + type = nft_obj_type_get(net, objtype, family); if (IS_ERR(type)) { err = PTR_ERR(type); goto err_type; diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index b2070f9f98ffa..5059dfd68ffe4 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -573,6 +573,7 @@ static const struct nft_object_ops nft_tunnel_obj_ops = { static struct nft_object_type nft_tunnel_obj_type __read_mostly = { .type = NFT_OBJECT_TUNNEL, + .family = NFPROTO_NETDEV, .ops = &nft_tunnel_obj_ops, .maxattr = NFTA_TUNNEL_KEY_MAX, .policy = nft_tunnel_key_policy, From patchwork Fri Jun 28 16:38:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1954064 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9h2z6vmJz20Xg for ; Sat, 29 Jun 2024 02:38:51 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sNEcD-0004qu-SI; Fri, 28 Jun 2024 16:38:25 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sNEcA-0004q1-UP for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 16:38:22 +0000 Received: from mail-io1-f72.google.com (mail-io1-f72.google.com [209.85.166.72]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 6F6393F187 for ; Fri, 28 Jun 2024 16:38:22 +0000 (UTC) Received: by mail-io1-f72.google.com with SMTP id ca18e2360f4ac-7f3b0bc9cf6so89624839f.0 for ; Fri, 28 Jun 2024 09:38:22 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719592701; x=1720197501; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=STZfv1c+wVSmJMl/W53ioaLL+fbvQdqobTicqVCDob4=; b=vil9W44sw2ebc9umyUM+Gxjbak82rqQ/ifdhLBhAEb0z2gufejVeKxaPd6Z7dgtFnj KTOrSXRDhaaeS0luSZIhjeFoznuV4zLuuz2RRvqjZSKyPcuptR+3ujQxvRxiiL6uL4pr /3ejzLsblguzQo5vSaTefnniSFfQ3IF73hN3iq9bvkoJET64diEit1WFkfJsOb6WNbW/ a4h0B15Ia3ywiv+XPxL4Oev/J7+rZuY/Z205/mqK56RDDgrx5mH0kZgrEoZVM86awFqM zknTxyE3Ui2OAPEmZYDao4iNjoMB++Pv+mXq2SxZkHSaGOZQajB3UrekqD1F79fk1u2V IryQ== X-Gm-Message-State: AOJu0Yx3Xe643ea0cCEup+pHPMyAN2gMFfRJU71cfwK/9ksQvfQQZMIb qAxmMNE0gIaHdOLPwfTZO/5xYwTyTwQxjDWLgBChHLUImvki+A6aT8oYhRW5ZH0Has01Z6g2c6O UjevjULJ1FamWpD/gyRGWx6KEQj4B1ssA6TyG4J5aTODq4ZFba+m+DCSBbV5Vpo55lQE0IhgSFI XUx2hZl7iLew== X-Received: by 2002:a05:6602:6d8e:b0:7ea:da27:e59e with SMTP id ca18e2360f4ac-7f3a7554742mr2017665539f.12.1719592700886; Fri, 28 Jun 2024 09:38:20 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGroGPJlzG5COI6g+wP2Kz9H5GdecUs34jPuLKrjgMEiGpkuTkeEybRKFvd1OUT5AzKWCLcgA== X-Received: by 2002:a05:6602:6d8e:b0:7ea:da27:e59e with SMTP id ca18e2360f4ac-7f3a7554742mr2017663339f.12.1719592700502; Fri, 28 Jun 2024 09:38:20 -0700 (PDT) Received: from smtp.gmail.com (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36]) by smtp.gmail.com with ESMTPSA id 8926c6da1cb9f-4bb73f90d03sm603191173.95.2024.06.28.09.38.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jun 2024 09:38:20 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 2/2] netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get() Date: Fri, 28 Jun 2024 11:38:18 -0500 Message-Id: <20240628163818.18631-3-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240628163818.18631-1-bethany.jamison@canonical.com> References: <20240628163818.18631-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Ziyang Xuan nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process. Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects") Signed-off-by: Ziyang Xuan Signed-off-by: Pablo Neira Ayuso (cherry picked from commit d78d867dcea69c328db30df665be5be7d0148484) CVE-2024-27019 Signed-off-by: Bethany Jamison --- net/netfilter/nf_tables_api.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 6db4257b6e3e7..2672e481ce629 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5469,7 +5469,7 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype, u8 family) { const struct nft_object_type *type; - list_for_each_entry(type, &nf_tables_objects, list) { + list_for_each_entry_rcu(type, &nf_tables_objects, list) { if (type->family != NFPROTO_UNSPEC && type->family != family) continue; @@ -5485,9 +5485,13 @@ nft_obj_type_get(struct net *net, u32 objtype, u8 family) { const struct nft_object_type *type; + rcu_read_lock(); type = __nft_obj_type_get(objtype, family); - if (type != NULL && try_module_get(type->owner)) + if (type != NULL && try_module_get(type->owner)) { + rcu_read_unlock(); return type; + } + rcu_read_unlock(); lockdep_nfnl_nft_mutex_not_held(); #ifdef CONFIG_MODULES