Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp115060iof; Sun, 5 Jun 2022 22:49:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwyKvsfYS6V5triL84qHsrE+t2bdJA2n869HOJ8NCF/bDA3rzxOUWW2ivEqhXwD/mhi/oZ7 X-Received: by 2002:a63:754b:0:b0:3fb:2109:e4d2 with SMTP id f11-20020a63754b000000b003fb2109e4d2mr19593138pgn.447.1654494574340; Sun, 05 Jun 2022 22:49:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654494574; cv=none; d=google.com; s=arc-20160816; b=C6i9IruvslYlCbVP5j0aCKPIRAi4bwVd1eQjtE39c1uezBkZMWKb0//UT/v+rv/CXy YKeERGS+1YVqE65Wrq4GIkhpy7znU/w8kk36mKbHvdEhH/9pn/jXRk2WTu+Gx4OT1P86 2JA5Khesk9uoHxcyrG+KZJeD1ug/lWxOcXkgXWC27EUvycErk12D4IXfCGmGukAa2wMh grZHEvNnjQVkeiyrA05BNoU3B5g7OfEcXV+TZd98rsKa0kngqN+fmnIRfhPl1XihfNlN V2LZuwtoejtjZLXaY8G6dl07kk9w54CcLTVv26Jo4cQWfFjCv0OL3kvJpCNFQ2nsIHHK JmvA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ExYGwF2PD+2tdbx4S2HUxUr49IJHQZdq5sqRahiv8sc=; b=R/cXKwftWPpdQbHZajJHbNbKJL3s5MeUyFyqhRV2HulH1ci1UTowXmGW8OHtzi6TuH gRCmRXHWGbY6FZLyJ7yuScU634vKt5CY3iyvk2tj1HQpsvHXPeZ2m+OhgsM603XtxLtV MF6T+/X4iXVUabauixuDcJa7q275OA81jP3wFyKfkA5OO5ICT0cQp7bf4TZptdQ9nhjx t+clf7nA9CinxnvlOa+CHPQ+MkUFQGU3NA+2BWOQmVnKoNsqsr8hCJCq5ZSghbQboEYv OVk06FvULxdivS7wX1YU0zAGnlRe7bdO+GWxlBtJqIjKfdKUnwc0fOGyxzjPmUsxvDyd aZZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EMo1ffA+; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id oo1-20020a17090b1c8100b001e318172115si24909590pjb.39.2022.06.05.22.49.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 05 Jun 2022 22:49:34 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=EMo1ffA+; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A913E27621C; Sun, 5 Jun 2022 21:39:24 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1346689AbiFCSFG (ORCPT + 99 others); Fri, 3 Jun 2022 14:05:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58162 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346609AbiFCRvU (ORCPT ); Fri, 3 Jun 2022 13:51:20 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C765A53E07; Fri, 3 Jun 2022 10:48:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6AF9BB82433; Fri, 3 Jun 2022 17:48:53 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id BC5E4C385A9; Fri, 3 Jun 2022 17:48:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1654278532; bh=HIPwxM3SG7OAggDsq+SZEhp1UA+7mDVc78vPygtLu9M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EMo1ffA+T/LDLtx34sNZxXjtLc5oQ8nOyPVYVxqYmQd9rtT1NQwG7HwEMPwxqempa nf3Tn0R8pt+vjeCjPBYpDByd0Y513RFYpUM8Ln6Bth+4TBf2hCPKI03pRZsRKoCMR5 93GK86NvT6WPJumv3Mq1ZVqxos51gZ+NHQTlG3/E= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Pablo Neira Ayuso , Aaron Adams Subject: [PATCH 5.15 10/66] netfilter: nf_tables: disallow non-stateful expression in sets earlier Date: Fri, 3 Jun 2022 19:42:50 +0200 Message-Id: <20220603173820.961939465@linuxfoundation.org> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220603173820.663747061@linuxfoundation.org> References: <20220603173820.663747061@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso commit 520778042ccca019f3ffa136dd0ca565c486cedd upstream. Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression instantiation"), it is possible to attach stateful expressions to set elements. cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase") introduces conditional destruction on the object to accomodate transaction semantics. nft_expr_init() calls expr->ops->init() first, then check for NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful lookup expressions which points to a set, which might lead to UAF since the set is not properly detached from the set->binding for this case. Anyway, this combination is non-sense from nf_tables perspective. This patch fixes this problem by checking for NFT_STATEFUL_EXPR before expr->ops->init() is called. The reporter provides a KASAN splat and a poc reproducer (similar to those autogenerated by syzbot to report use-after-free errors). It is unknown to me if they are using syzbot or if they use similar automated tool to locate the bug that they are reporting. For the record, this is the KASAN splat. [ 85.431824] ================================================================== [ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20 [ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776 [ 85.434756] [ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2 [ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling") Reported-and-tested-by: Aaron Adams Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_tables_api.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2778,27 +2778,31 @@ static struct nft_expr *nft_expr_init(co err = nf_tables_expr_parse(ctx, nla, &expr_info); if (err < 0) - goto err1; + goto err_expr_parse; + + err = -EOPNOTSUPP; + if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL)) + goto err_expr_stateful; err = -ENOMEM; expr = kzalloc(expr_info.ops->size, GFP_KERNEL); if (expr == NULL) - goto err2; + goto err_expr_stateful; err = nf_tables_newexpr(ctx, &expr_info, expr); if (err < 0) - goto err3; + goto err_expr_new; return expr; -err3: +err_expr_new: kfree(expr); -err2: +err_expr_stateful: owner = expr_info.ops->type->owner; if (expr_info.ops->type->release_ops) expr_info.ops->type->release_ops(expr_info.ops); module_put(owner); -err1: +err_expr_parse: return ERR_PTR(err); } @@ -5318,9 +5322,6 @@ struct nft_expr *nft_set_elem_expr_alloc return expr; err = -EOPNOTSUPP; - if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL)) - goto err_set_elem_expr; - if (expr->ops->type->flags & NFT_EXPR_GC) { if (set->flags & NFT_SET_TIMEOUT) goto err_set_elem_expr;