Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp1860797rwb; Fri, 19 Aug 2022 10:35:36 -0700 (PDT) X-Google-Smtp-Source: AA6agR6x/0KcprIiX3I2STMVS+ebeblWrOBqqHR9un/tkCceJdPqN5E9GvmwchYMDLRrjMdlLNL+ X-Received: by 2002:a17:90a:d917:b0:1fa:a61e:99da with SMTP id c23-20020a17090ad91700b001faa61e99damr9487773pjv.73.1660930536247; Fri, 19 Aug 2022 10:35:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660930536; cv=none; d=google.com; s=arc-20160816; b=dOodqpl83sgfot7+WKcLetapotqDiqf2B2tpPnH/v3/aZvCvO0xzkoYL4rWQ6nBSxe jaPUOD9ws9KYnPhBhju7p44P9t0OtgGs34mBMJemBxCuIZhyfPqOZJ4bg9+HKD6d0a/K 80EhhS4Ud39D+ti8xtGmIf527NxRhYsTJ3nNICUVlBcGgdJc+jnrqYlPN82FPJx4eHV/ cJI1rxqESzPIiro3UutGjgaHRRDuRb7O2Hc33FlhkALEEMQPhtDuMuOVgG+67VJ594nk fN6wMZGIl/yLqiU8zCagvqnpaGX1zuHhTZcVssYGyo+NsjnHFv5Z+AkYmC9aoPixJ8R8 VL9w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=gjudAd1q/ZZNBXr3yaEe1AJMDinAhkdF8TQlSOMYJZU=; b=vDbt1H7V6LVyRRjhVlRBueHq8wLbcQC1XbN3pFH+nnZm4PQqFQhKduVDD18lgYkFor LDl1zVgQ55uUmOpLK1VtS0DZeWSzX7XsYpFvsmbyhnca/pd6wRBmMlItJV4ryIreAOkE 8yKJqCMG0Y6yt6zwaVK9mEsbojFK23pzUKL/M0GVnEu6l4Q1pGXbKXul04zIupCktFVk 2uDZMw1+/9t4dTbTCIcLIQm6mpy5kWAZXC7sPCbeQjK2i3O8v+hCIklbIBt4eaj45Vx5 TQRclzApu15ubvbqwfWkxSH4kE6DWRDxvSvNl8SwgJZFLsm9R5bTvPCG8qMiHfnmvcSV X9uQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MmwLecOu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v10-20020a63bf0a000000b00427fbb3e3d2si4671792pgf.246.2022.08.19.10.35.25; Fri, 19 Aug 2022 10:35:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=MmwLecOu; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350539AbiHSPyG (ORCPT + 99 others); Fri, 19 Aug 2022 11:54:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40852 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1350493AbiHSPxX (ORCPT ); Fri, 19 Aug 2022 11:53:23 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 081B6106FA0; Fri, 19 Aug 2022 08:49:16 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 6DB2BB82812; Fri, 19 Aug 2022 15:49:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id C7C7EC433C1; Fri, 19 Aug 2022 15:49:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1660924155; bh=fi65p4E4OX7ekzxpcc7up/88JMP4dNQ8dvruvpufEu8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MmwLecOuAJUeUxDq6lUswGWkNGJ/KumHaJXsniarkyo9LBeWfVVW35JGJ+3aCQdAW cq2Qmnjd/yGONPz4Ymwh2bRwW+MxW9IpJdxACUb4vXszeQQMDXw3Rn89jYpjchf9Sc CAl/eogseBv1cJkocePvTpxUC1CPZNCEYHrrMkvA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thadeu Lima de Souza Cascardo , Pablo Neira Ayuso Subject: [PATCH 5.10 074/545] netfilter: nf_tables: do not allow RULE_ID to refer to another chain Date: Fri, 19 Aug 2022 17:37:24 +0200 Message-Id: <20220819153832.580611023@linuxfoundation.org> X-Mailer: git-send-email 2.37.2 In-Reply-To: <20220819153829.135562864@linuxfoundation.org> References: <20220819153829.135562864@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Thadeu Lima de Souza Cascardo commit 36d5b2913219ac853908b0f1c664345e04313856 upstream. When doing lookups for rules on the same batch by using its ID, a rule from a different chain can be used. If a rule is added to a chain but tries to be positioned next to a rule from a different chain, it will be linked to chain2, but the use counter on chain1 would be the one to be incremented. When looking for rules by ID, use the chain that was used for the lookup by name. The chain used in the context copied to the transaction needs to match that same chain. That way, struct nft_rule does not need to get enlarged with another member. Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule") Signed-off-by: Thadeu Lima de Souza Cascardo Cc: Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_tables_api.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3156,6 +3156,7 @@ static int nft_table_validate(struct net } static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + const struct nft_chain *chain, const struct nlattr *nla); #define NFT_RULE_MAXEXPRS 128 @@ -3243,7 +3244,7 @@ static int nf_tables_newrule(struct net return PTR_ERR(old_rule); } } else if (nla[NFTA_RULE_POSITION_ID]) { - old_rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_POSITION_ID]); + old_rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_POSITION_ID]); if (IS_ERR(old_rule)) { NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION_ID]); return PTR_ERR(old_rule); @@ -3382,6 +3383,7 @@ err1: } static struct nft_rule *nft_rule_lookup_byid(const struct net *net, + const struct nft_chain *chain, const struct nlattr *nla) { u32 id = ntohl(nla_get_be32(nla)); @@ -3391,6 +3393,7 @@ static struct nft_rule *nft_rule_lookup_ struct nft_rule *rule = nft_trans_rule(trans); if (trans->msg_type == NFT_MSG_NEWRULE && + trans->ctx.chain == chain && id == nft_trans_rule_id(trans)) return rule; } @@ -3439,7 +3442,7 @@ static int nf_tables_delrule(struct net err = nft_delrule(&ctx, rule); } else if (nla[NFTA_RULE_ID]) { - rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]); + rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]); if (IS_ERR(rule)) { NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]); return PTR_ERR(rule);