From 2f9874af7248b917772c8673054118267b3be415 Mon Sep 17 00:00:00 2001

From: Julia Denham <jdenham@redhat.com>

Date: Mon, 11 Jul 2022 08:10:32 -0400

Subject: [KPATCH CVE-2022-32250] kpatch fixes for CVE-2022-1966

Content-type: text/plain

Kernels:

4.18.0-372.9.1.el8

Changes since last build:

arches: x86_64 ppc64le

nf_tables_api.o: changed function: nft_expr_init

nf_tables_api.o: changed function: nft_set_elem_expr_alloc

---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/53

Approved-by: Joe Lawrence (@joe.lawrence)

Approved-by: Yannick Cote (@ycote1)

Modifications: none

commit afeaad78f78f7593e89f540a87b8796e8d705d57

Author: Phil Sutter <psutter@redhat.com>

Date:   Thu Jun 2 20:58:22 2022 +0200

    netfilter: nf_tables: disallow non-stateful expression in sets earlier

    Bugzilla: https://bugzilla.redhat.com/2092986

    CVE: CVE-2022-32250

    Y-Commit: cfb0d599ec74a88a5f02455616f96946defb849e

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2092987

    Upstream Status: net.git commit 520778042ccca

    O-CVE: CVE-2022-32250

    Conflicts: Upstream renamed info -> expr_info.

    commit 520778042ccca019f3ffa136dd0ca565c486cedd

    Author: Pablo Neira Ayuso <pablo@netfilter.org>

    Date:   Wed May 25 10:36:38 2022 +0200

        netfilter: nf_tables: disallow non-stateful expression in sets earlier

        Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression

        instantiation"), it is possible to attach stateful expressions to set

        elements.

        cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate

        and destroy phase") introduces conditional destruction on the object to

        accomodate transaction semantics.

        nft_expr_init() calls expr->ops->init() first, then check for

        NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful

        lookup expressions which points to a set, which might lead to UAF since

        the set is not properly detached from the set->binding for this case.

        Anyway, this combination is non-sense from nf_tables perspective.

        This patch fixes this problem by checking for NFT_STATEFUL_EXPR before

        expr->ops->init() is called.

        The reporter provides a KASAN splat and a poc reproducer (similar to

        those autogenerated by syzbot to report use-after-free errors). It is

        unknown to me if they are using syzbot or if they use similar automated

        tool to locate the bug that they are reporting.

        For the record, this is the KASAN splat.

        [   85.431824] ==================================================================

        [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20

        [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776

        [   85.434756]

        [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2

        [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014

        Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")

        Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>

        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

    Signed-off-by: Phil Sutter <psutter@redhat.com>

    Signed-off-by: Augusto Caringi <acaringi@redhat.com>

Signed-off-by: Julia Denham <jdenham@redhat.com>

---

 net/netfilter/nf_tables_api.c | 19 ++++++++++---------

 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index aa095db8d0ca..097680c5f914 100644

--- a/net/netfilter/nf_tables_api.c

+++ b/net/netfilter/nf_tables_api.c

@@ -2576,27 +2576,31 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,

 	err = nf_tables_expr_parse(ctx, nla, &info;;

 	if (err < 0)

-		goto err1;

+		goto err_expr_parse;

+

+	err = -EOPNOTSUPP;

+	if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))

+		goto err_expr_stateful;

 	err = -ENOMEM;

 	expr = kzalloc(info.ops->size, GFP_KERNEL);

 	if (expr == NULL)

-		goto err2;

+		goto err_expr_stateful;

 	err = nf_tables_newexpr(ctx, &info, expr);

 	if (err < 0)

-		goto err3;

+		goto err_expr_new;

 	return expr;

-err3:

+err_expr_new:

 	kfree(expr);

-err2:

+err_expr_stateful:

 	owner = info.ops->type->owner;

 	if (info.ops->type->release_ops)

 		info.ops->type->release_ops(info.ops);

 	module_put(owner);

-err1:

+err_expr_parse:

 	return ERR_PTR(err);

 }

@@ -4983,9 +4987,6 @@ struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,

 		return expr;

 	err = -EOPNOTSUPP;

-	if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))

-		goto err_set_elem_expr;

-

 	if (expr->ops->type->flags & NFT_EXPR_GC) {

 		if (set->flags & NFT_SET_TIMEOUT)

 			goto err_set_elem_expr;

-- 

2.26.3