|
|
be1ff1 |
From 2f9874af7248b917772c8673054118267b3be415 Mon Sep 17 00:00:00 2001
|
|
|
be1ff1 |
From: Julia Denham <jdenham@redhat.com>
|
|
|
be1ff1 |
Date: Mon, 11 Jul 2022 08:10:32 -0400
|
|
|
be1ff1 |
Subject: [KPATCH CVE-2022-32250] kpatch fixes for CVE-2022-1966
|
|
|
be1ff1 |
Content-type: text/plain
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Kernels:
|
|
|
be1ff1 |
4.18.0-372.9.1.el8
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Changes since last build:
|
|
|
be1ff1 |
arches: x86_64 ppc64le
|
|
|
be1ff1 |
nf_tables_api.o: changed function: nft_expr_init
|
|
|
be1ff1 |
nf_tables_api.o: changed function: nft_set_elem_expr_alloc
|
|
|
be1ff1 |
---------------------------
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-8/-/merge_requests/53
|
|
|
be1ff1 |
Approved-by: Joe Lawrence (@joe.lawrence)
|
|
|
be1ff1 |
Approved-by: Yannick Cote (@ycote1)
|
|
|
be1ff1 |
Modifications: none
|
|
|
be1ff1 |
|
|
|
be1ff1 |
commit afeaad78f78f7593e89f540a87b8796e8d705d57
|
|
|
be1ff1 |
Author: Phil Sutter <psutter@redhat.com>
|
|
|
be1ff1 |
Date: Thu Jun 2 20:58:22 2022 +0200
|
|
|
be1ff1 |
|
|
|
be1ff1 |
netfilter: nf_tables: disallow non-stateful expression in sets earlier
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Bugzilla: https://bugzilla.redhat.com/2092986
|
|
|
be1ff1 |
CVE: CVE-2022-32250
|
|
|
be1ff1 |
Y-Commit: cfb0d599ec74a88a5f02455616f96946defb849e
|
|
|
be1ff1 |
|
|
|
be1ff1 |
O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2092987
|
|
|
be1ff1 |
Upstream Status: net.git commit 520778042ccca
|
|
|
be1ff1 |
O-CVE: CVE-2022-32250
|
|
|
be1ff1 |
Conflicts: Upstream renamed info -> expr_info.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
commit 520778042ccca019f3ffa136dd0ca565c486cedd
|
|
|
be1ff1 |
Author: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
be1ff1 |
Date: Wed May 25 10:36:38 2022 +0200
|
|
|
be1ff1 |
|
|
|
be1ff1 |
netfilter: nf_tables: disallow non-stateful expression in sets earlier
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
|
|
|
be1ff1 |
instantiation"), it is possible to attach stateful expressions to set
|
|
|
be1ff1 |
elements.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
|
|
|
be1ff1 |
and destroy phase") introduces conditional destruction on the object to
|
|
|
be1ff1 |
accomodate transaction semantics.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
nft_expr_init() calls expr->ops->init() first, then check for
|
|
|
be1ff1 |
NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
|
|
|
be1ff1 |
lookup expressions which points to a set, which might lead to UAF since
|
|
|
be1ff1 |
the set is not properly detached from the set->binding for this case.
|
|
|
be1ff1 |
Anyway, this combination is non-sense from nf_tables perspective.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
|
|
|
be1ff1 |
expr->ops->init() is called.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
The reporter provides a KASAN splat and a poc reproducer (similar to
|
|
|
be1ff1 |
those autogenerated by syzbot to report use-after-free errors). It is
|
|
|
be1ff1 |
unknown to me if they are using syzbot or if they use similar automated
|
|
|
be1ff1 |
tool to locate the bug that they are reporting.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
For the record, this is the KASAN splat.
|
|
|
be1ff1 |
|
|
|
be1ff1 |
[ 85.431824] ==================================================================
|
|
|
be1ff1 |
[ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
|
|
|
be1ff1 |
[ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
|
|
|
be1ff1 |
[ 85.434756]
|
|
|
be1ff1 |
[ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2
|
|
|
be1ff1 |
[ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
|
|
|
be1ff1 |
Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>
|
|
|
be1ff1 |
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Signed-off-by: Phil Sutter <psutter@redhat.com>
|
|
|
be1ff1 |
Signed-off-by: Augusto Caringi <acaringi@redhat.com>
|
|
|
be1ff1 |
|
|
|
be1ff1 |
Signed-off-by: Julia Denham <jdenham@redhat.com>
|
|
|
be1ff1 |
---
|
|
|
be1ff1 |
net/netfilter/nf_tables_api.c | 19 ++++++++++---------
|
|
|
be1ff1 |
1 file changed, 10 insertions(+), 9 deletions(-)
|
|
|
be1ff1 |
|
|
|
be1ff1 |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
|
|
|
be1ff1 |
index aa095db8d0ca..097680c5f914 100644
|
|
|
be1ff1 |
--- a/net/netfilter/nf_tables_api.c
|
|
|
be1ff1 |
+++ b/net/netfilter/nf_tables_api.c
|
|
|
be1ff1 |
@@ -2576,27 +2576,31 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,
|
|
|
be1ff1 |
|
|
|
be1ff1 |
err = nf_tables_expr_parse(ctx, nla, &info;;
|
|
|
be1ff1 |
if (err < 0)
|
|
|
be1ff1 |
- goto err1;
|
|
|
be1ff1 |
+ goto err_expr_parse;
|
|
|
be1ff1 |
+
|
|
|
be1ff1 |
+ err = -EOPNOTSUPP;
|
|
|
be1ff1 |
+ if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))
|
|
|
be1ff1 |
+ goto err_expr_stateful;
|
|
|
be1ff1 |
|
|
|
be1ff1 |
err = -ENOMEM;
|
|
|
be1ff1 |
expr = kzalloc(info.ops->size, GFP_KERNEL);
|
|
|
be1ff1 |
if (expr == NULL)
|
|
|
be1ff1 |
- goto err2;
|
|
|
be1ff1 |
+ goto err_expr_stateful;
|
|
|
be1ff1 |
|
|
|
be1ff1 |
err = nf_tables_newexpr(ctx, &info, expr);
|
|
|
be1ff1 |
if (err < 0)
|
|
|
be1ff1 |
- goto err3;
|
|
|
be1ff1 |
+ goto err_expr_new;
|
|
|
be1ff1 |
|
|
|
be1ff1 |
return expr;
|
|
|
be1ff1 |
-err3:
|
|
|
be1ff1 |
+err_expr_new:
|
|
|
be1ff1 |
kfree(expr);
|
|
|
be1ff1 |
-err2:
|
|
|
be1ff1 |
+err_expr_stateful:
|
|
|
be1ff1 |
owner = info.ops->type->owner;
|
|
|
be1ff1 |
if (info.ops->type->release_ops)
|
|
|
be1ff1 |
info.ops->type->release_ops(info.ops);
|
|
|
be1ff1 |
|
|
|
be1ff1 |
module_put(owner);
|
|
|
be1ff1 |
-err1:
|
|
|
be1ff1 |
+err_expr_parse:
|
|
|
be1ff1 |
return ERR_PTR(err);
|
|
|
be1ff1 |
}
|
|
|
be1ff1 |
|
|
|
be1ff1 |
@@ -4983,9 +4987,6 @@ struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,
|
|
|
be1ff1 |
return expr;
|
|
|
be1ff1 |
|
|
|
be1ff1 |
err = -EOPNOTSUPP;
|
|
|
be1ff1 |
- if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))
|
|
|
be1ff1 |
- goto err_set_elem_expr;
|
|
|
be1ff1 |
-
|
|
|
be1ff1 |
if (expr->ops->type->flags & NFT_EXPR_GC) {
|
|
|
be1ff1 |
if (set->flags & NFT_SET_TIMEOUT)
|
|
|
be1ff1 |
goto err_set_elem_expr;
|
|
|
be1ff1 |
--
|
|
|
be1ff1 |
2.26.3
|
|
|
be1ff1 |
|
|
|
be1ff1 |
|