Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp685054pxf; Wed, 31 Mar 2021 13:25:03 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyCUgNkZ3s9g+zZHcnTPVAYpAK/Jnjin3+mRAoVFVxbfHrMZPHiFMDHo65hLUDxFEPilb7M X-Received: by 2002:a05:6402:1855:: with SMTP id v21mr6002462edy.310.1617222303284; Wed, 31 Mar 2021 13:25:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617222303; cv=none; d=google.com; s=arc-20160816; b=Ow8SEHvi8AxU9U6Ijm/0cQ/W2LhvQK/fI+/0G9wrRxSUzwohUEJZJFZuV7Tgd0KxEs hEI4N34vUmXJ25Vq0h1JGNEmxynZr1H0RUy5wK4MlGKotkW5HmOMZ7uFBtkRrLRrAs17 e4faci8BxX24BTfGtc/+Y2mGQOzNQVmnE8Vij8h98MBs2RcQkjS5QO7pWtSovzXK3A9R zDuMqnWT1vFs3dp1z/o2+kCrn9PaJfZ+BeNAdkftLweI8tcAGqugfI4XLlHDyJPtg1dx eWBAzjgwtq3ublrwlV+9ZcfqKQCOyK4bygNX5vRhTlV35oMHkTSxJnsvsKn67B4tcpEp 9LWw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=OfG/UmAMdwzYp70nAIGxzmgZHR+PL4mbWll924tOxDs=; b=xasS621v8n3/xZ2iCgsmgRR+409PtDQ3gPT4Dy6KGa6SAlydUt+e385XIuP/a3cTLh TlLBB0X9z7ulIqXeDCU9hXBf5uElIt8hf98/+fVvn4xnVFvX5tqSrk3HU0gck3Q6herg It2suF0GBA1TZUEo06VKz266LOaiDZiz+hZkHnOAmFehkKj9cCPGSF+WvczF3VsI/J7w lR6kX1My7/JfEYXN6SOlIkZ9HtnxQXYie9ncNfa1Ejfm70Cl3d9m6UUjzWCFheN5XR2Y v2g3+weI8SbHJGfQCasGrqSNIxyTnqRvAwIzzZAhHASmVl1Gvv+UDwShTGKWaErbRfCy pMpg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a7si2577475edy.54.2021.03.31.13.24.28; Wed, 31 Mar 2021 13:25:03 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236380AbhCaUWv (ORCPT + 99 others); Wed, 31 Mar 2021 16:22:51 -0400 Received: from mail.netfilter.org ([217.70.188.207]:48918 "EHLO mail.netfilter.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236379AbhCaUWf (ORCPT ); Wed, 31 Mar 2021 16:22:35 -0400 Received: from us.es (unknown [90.77.255.23]) by mail.netfilter.org (Postfix) with ESMTPSA id 8110663E47; Wed, 31 Mar 2021 22:22:19 +0200 (CEST) Date: Wed, 31 Mar 2021 22:22:30 +0200 From: Pablo Neira Ayuso To: Richard Guy Briggs Cc: Linux-Audit Mailing List , LKML , netfilter-devel@vger.kernel.org, Paul Moore , Eric Paris , Steve Grubb , Florian Westphal , Phil Sutter , twoerner@redhat.com, tgraf@infradead.org, dan.carpenter@oracle.com, Jones Desougi Subject: Re: [PATCH v5] audit: log nftables configuration change events once per table Message-ID: <20210331202230.GA4109@salvia> References: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline In-Reply-To: <28de34275f58b45fd4626a92ccae96b6d2b4e287.1616702731.git.rgb@redhat.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=utf-8 Content-Disposition: inline On Fri, Mar 26, 2021 at 01:38:59PM -0400, Richard Guy Briggs wrote: > Reduce logging of nftables events to a level similar to iptables. > Restore the table field to list the table, adding the generation. > > Indicate the op as the most significant operation in the event. There's a UAF, Florian reported. I'm attaching an incremental fix. nf_tables_commit_audit_collect() refers to the trans object which might have been already released. --OXfL5xGRrasGEqWY Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="fix-uaf.patch" commit e4d272948d25b66d86fc241cefd95281bfb1079e Author: Pablo Neira Ayuso Date: Wed Mar 31 22:19:51 2021 +0200 netfilter: nf_tables: use-after-free Signed-off-by: Pablo Neira Ayuso diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 5dd4bb7cabf5..01674c0d9103 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -8063,6 +8063,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) net->nft.gencursor = nft_gencursor_next(net); list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { + nf_tables_commit_audit_collect(&adl, trans->ctx.table, + trans->msg_type); switch (trans->msg_type) { case NFT_MSG_NEWTABLE: if (nft_trans_table_update(trans)) { @@ -8211,8 +8213,6 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) } break; } - nf_tables_commit_audit_collect(&adl, trans->ctx.table, - trans->msg_type); } nft_commit_notify(net, NETLINK_CB(skb).portid); --OXfL5xGRrasGEqWY--