From 93b3d4237a6eccd92ab6cd4828541cfe512d513b Mon Sep 17 00:00:00 2001

From: Julia Denham <jdenham@redhat.com>

Date: Thu, 16 Jun 2022 15:36:44 -0400

Subject: [KPATCH CVE-2022-1966] kpatch fixes for CVE-2022-1966

Content-type: text/plain

Kernels:

5.14.0-70.13.1.el9_0

Changes since last build:

arches: x86_64 ppc64le

nf_tables_api.o: changed function: nft_expr_init

nf_tables_api.o: changed function: nft_set_elem_expr_alloc

---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-9/-/merge_requests/3

Approved-by: Joe Lawrence (@joe.lawrence)

Modifications: none

commit 4dbedeaa74d57da26219448d417db8340db6d042

Author: Phil Sutter <psutter@redhat.com>

Date:   Thu Jun 2 20:42:43 2022 +0200

    netfilter: nf_tables: disallow non-stateful expression in sets earlier

    Bugzilla: https://bugzilla.redhat.com/2092994

    CVE: CVE-2022-1966

    Y-Commit: b26a2ad4080a9e9b62ebf5c68024363b1561cac5

    O-Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2092995

    Upstream Status: net.git commit 520778042ccca

    O-CVE: CVE-2022-1966

    commit 520778042ccca019f3ffa136dd0ca565c486cedd

    Author: Pablo Neira Ayuso <pablo@netfilter.org>

    Date:   Wed May 25 10:36:38 2022 +0200

        netfilter: nf_tables: disallow non-stateful expression in sets earlier

        Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression

        instantiation"), it is possible to attach stateful expressions to set

        elements.

        cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate

        and destroy phase") introduces conditional destruction on the object to

        accomodate transaction semantics.

        nft_expr_init() calls expr->ops->init() first, then check for

        NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful

        lookup expressions which points to a set, which might lead to UAF since

        the set is not properly detached from the set->binding for this case.

        Anyway, this combination is non-sense from nf_tables perspective.

        This patch fixes this problem by checking for NFT_STATEFUL_EXPR before

        expr->ops->init() is called.

        The reporter provides a KASAN splat and a poc reproducer (similar to

        those autogenerated by syzbot to report use-after-free errors). It is

        unknown to me if they are using syzbot or if they use similar automated

        tool to locate the bug that they are reporting.

        For the record, this is the KASAN splat.

        [   85.431824] ==================================================================

        [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20

        [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776

        [   85.434756]

        [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2

        [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014

        Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")

        Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>

        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

    Signed-off-by: Phil Sutter <psutter@redhat.com>

    Signed-off-by: Herton R. Krzesinski <herton@redhat.com>

Signed-off-by: Julia Denham <jdenham@redhat.com>

---

 net/netfilter/nf_tables_api.c | 19 ++++++++++---------

 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index a3116d96ac88..d495e10044dc 100644

--- a/net/netfilter/nf_tables_api.c

+++ b/net/netfilter/nf_tables_api.c

@@ -2778,27 +2778,31 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,

 	err = nf_tables_expr_parse(ctx, nla, &expr_info);

 	if (err < 0)

-		goto err1;

+		goto err_expr_parse;

+

+	err = -EOPNOTSUPP;

+	if (!(expr_info.ops->type->flags & NFT_EXPR_STATEFUL))

+		goto err_expr_stateful;

 	err = -ENOMEM;

 	expr = kzalloc(expr_info.ops->size, GFP_KERNEL);

 	if (expr == NULL)

-		goto err2;

+		goto err_expr_stateful;

 	err = nf_tables_newexpr(ctx, &expr_info, expr);

 	if (err < 0)

-		goto err3;

+		goto err_expr_new;

 	return expr;

-err3:

+err_expr_new:

 	kfree(expr);

-err2:

+err_expr_stateful:

 	owner = expr_info.ops->type->owner;

 	if (expr_info.ops->type->release_ops)

 		expr_info.ops->type->release_ops(expr_info.ops);

 	module_put(owner);

-err1:

+err_expr_parse:

 	return ERR_PTR(err);

 }

@@ -5318,9 +5322,6 @@ struct nft_expr *nft_set_elem_expr_alloc(const struct nft_ctx *ctx,

 		return expr;

 	err = -EOPNOTSUPP;

-	if (!(expr->ops->type->flags & NFT_EXPR_STATEFUL))

-		goto err_set_elem_expr;

-

 	if (expr->ops->type->flags & NFT_EXPR_GC) {

 		if (set->flags & NFT_SET_TIMEOUT)

 			goto err_set_elem_expr;

-- 

2.26.3