iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
520778042c
linux/net/netfilter
History
Pablo Neira Ayuso 520778042c netfilter: nf_tables: disallow non-stateful expression in sets earlier 
Since 3e135cd499 ("netfilter: nft_dynset: dynamic stateful expression
instantiation"), it is possible to attach stateful expressions to set
elements.

cd5125d8f5 ("netfilter: nf_tables: split set destruction in deactivate
and destroy phase") introduces conditional destruction on the object to
accomodate transaction semantics.

nft_expr_init() calls expr->ops->init() first, then check for
NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
lookup expressions which points to a set, which might lead to UAF since
the set is not properly detached from the set->binding for this case.
Anyway, this combination is non-sense from nf_tables perspective.

This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
expr->ops->init() is called.

The reporter provides a KASAN splat and a poc reproducer (similar to
those autogenerated by syzbot to report use-after-free errors). It is
unknown to me if they are using syzbot or if they use similar automated
tool to locate the bug that they are reporting.

For the record, this is the KASAN splat.

[   85.431824] ==================================================================
[   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
[   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
[   85.434756]
[   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2
[   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014

Fixes: 0b2d8a7b63 ("netfilter: nf_tables: add helper functions for expression handling")
Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2022-05-26 22:50:33 +02:00
..
ipset netfilter: ipset: Fix oversized kvmalloc() calls 2021-09-14 00:50:01 +02:00
ipvs net: sysctl: introduce sysctl SYSCTL_THREE 2022-05-03 10:15:06 +02:00
core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 2022-03-28 08:57:10 -07:00
Kconfig netfilter: nf_tables: make counter support built-in 2021-12-23 01:07:35 +01:00
Makefile net/netfilter: Add unstable CT lookup helpers for XDP and TC-BPF 2022-01-18 14:26:42 -08:00
nf_conncount.c netfilter: nf_conncount: reduce unnecessary GC 2022-05-16 13:05:40 +02:00
nf_conntrack_acct.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_conntrack_amanda.c
nf_conntrack_bpf.c net: netfilter: Reports ct direction in CT lookup helpers for XDP and TC-BPF 2022-04-06 09:58:30 -07:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: conntrack: add nf_conntrack_events autodetect mode 2022-05-13 18:56:28 +02:00
nf_conntrack_ecache.c netfilter: conntrack: add nf_conntrack_events autodetect mode 2022-05-13 18:56:28 +02:00
nf_conntrack_expect.c netfilter: conntrack: convert to refcount_t api 2022-01-09 23:30:13 +01:00
nf_conntrack_extend.c netfilter: extensions: introduce extension genid count 2022-05-13 18:52:16 +02:00
nf_conntrack_ftp.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_h323_asn1.c netfilter: Use fallthrough pseudo-keyword 2020-07-22 01:18:05 +02:00
nf_conntrack_h323_main.c netfilter: fix clang-12 fmt string warnings 2021-06-01 23:53:51 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: remove __nf_ct_unconfirmed_destroy 2022-05-13 18:52:17 +02:00
nf_conntrack_irc.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_labels.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_conntrack_netbios_ns.c netfilter: nf_conntrack_netbios_ns: fix helper module alias 2022-01-11 10:41:44 +01:00
nf_conntrack_netlink.c netfilter: ctnetlink: fix up for "netfilter: conntrack: remove unconfirmed list" 2022-05-18 09:21:59 +02:00
nf_conntrack_pptp.c netfilter: conntrack: pptp: use single option structure 2022-02-04 06:30:28 +01:00
nf_conntrack_proto_dccp.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c netfilter: conntrack: nf_ct_gre_keymap_flush() removal 2021-07-02 02:07:01 +02:00
nf_conntrack_proto_icmp.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_icmpv6.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_sctp.c netfilter: conntrack: don't refresh sctp entries in closed state 2022-02-04 05:38:15 +01:00
nf_conntrack_proto_tcp.c netfilter: conntrack: remove pr_debug callsites from tcp tracker 2022-05-16 13:09:51 +02:00
nf_conntrack_proto_udp.c Revert "netfilter: conntrack: mark UDP zero checksum as CHECKSUM_UNNECESSARY" 2022-03-03 13:35:22 +01:00
nf_conntrack_proto.c netfilter: conntrack: add nf_ct_iter_data object for nf_ct_iterate_cleanup*() 2022-05-13 18:56:27 +02:00
nf_conntrack_sane.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_seqadj.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_conntrack_sip.c
nf_conntrack_snmp.c
nf_conntrack_standalone.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 2022-05-16 10:10:37 +01:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c netfilter: conntrack: add nf_ct_iter_data object for nf_ct_iterate_cleanup*() 2022-05-13 18:56:27 +02:00
nf_conntrack_timestamp.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_dup_netdev.c net: Add skb_clear_tstamp() to keep the mono delivery_time 2022-03-03 14:38:48 +00:00
nf_flow_table_core.c netfilter: flowtable: move dst_check to packet path 2022-05-18 17:34:26 +02:00
nf_flow_table_inet.c netfilter: flowtable: Fix QinQ and pppoe support for inet table 2022-03-16 11:25:04 +01:00
nf_flow_table_ip.c netfilter: flowtable: move dst_check to packet path 2022-05-18 17:34:26 +02:00
nf_flow_table_offload.c netfilter: flowtable: remove redundant field in flow_offload_work struct 2022-03-20 00:29:47 +01:00
nf_hooks_lwtunnel.c netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
nf_internals.h netfilter: ctnetlink: add kernel side filtering for dump 2020-05-27 22:20:34 +02:00
nf_log_syslog.c netfilter: nf_log_syslog: Consolidate entry checks 2022-04-08 14:36:06 +02:00
nf_log.c netfilter: nft_log: perform module load from nf_tables 2021-03-31 22:34:11 +02:00
nf_nat_amanda.c
nf_nat_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-17 13:56:58 -07:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c netfilter: conntrack: add nf_ct_iter_data object for nf_ct_iterate_cleanup*() 2022-05-13 18:56:27 +02:00
nf_nat_proto.c netfilter: nat: move nf_xfrm_me_harder to where it is used 2021-04-26 03:20:07 +02:00
nf_nat_redirect.c
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c netfilter: nf_queue: handle socket prefetch 2022-03-01 11:51:15 +01:00
nf_sockopt.c netfilter: switch nf_setsockopt to sockptr_t 2020-07-24 15:41:54 -07:00
nf_synproxy_core.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_tables_api.c netfilter: nf_tables: disallow non-stateful expression in sets earlier 2022-05-26 22:50:33 +02:00
nf_tables_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-23 10:53:49 -07:00
nf_tables_offload.c netfilter: nf_tables_offload: incorrect flow offload action array size 2022-02-20 01:22:20 +01:00
nf_tables_trace.c netfilter: nf_tables: add rule blob layout 2022-01-09 23:35:17 +01:00
nfnetlink_acct.c netfilter: use nfnetlink_unicast() 2021-05-29 01:04:53 +02:00
nfnetlink_cthelper.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2021-06-07 13:01:52 -07:00
nfnetlink_cttimeout.c netfilter: conntrack: remove __nf_ct_unconfirmed_destroy 2022-05-13 18:52:17 +02:00
nfnetlink_hook.c net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
nfnetlink_log.c net: Get rcv tstamp if needed in nfnetlink_{log, queue}.c 2022-03-03 14:38:48 +00:00
nfnetlink_osf.c netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check 2021-05-05 22:26:09 +02:00
nfnetlink_queue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-03-03 11:55:12 -08:00
nfnetlink.c netfilter: nfnetlink: allow to detect if ctnetlink listeners exist 2022-05-13 18:56:28 +02:00
nft_bitwise.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 2022-04-11 11:47:58 +01:00
nft_byteorder.c netfilter: nf_tables: cancel tracking for clobbered destination registers 2022-03-20 00:29:46 +01:00
nft_chain_filter.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-10-22 11:41:16 +01:00
nft_chain_nat.c netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec() 2021-05-29 01:04:54 +02:00
nft_chain_route.c netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec() 2021-05-29 01:04:54 +02:00
nft_cmp.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_compat.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_connlimit.c netfilter: nf_tables: memcg accounting for dynamically allocated objects 2022-04-05 11:55:46 +02:00
nft_counter.c netfilter: nf_tables: memcg accounting for dynamically allocated objects 2022-04-05 11:55:46 +02:00
nft_ct.c netfilter: nft_ct: track register operations 2022-03-20 00:29:46 +01:00
nft_dup_netdev.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_dynset.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_exthdr.c netfilter: nft_exthdr: add reduce support 2022-03-20 00:29:47 +01:00
nft_fib_inet.c netfilter: nft_fib: add reduce support 2022-03-20 00:29:47 +01:00
nft_fib_netdev.c netfilter: nft_fib: add reduce support 2022-03-20 00:29:47 +01:00
nft_fib.c netfilter: nft_fib: reverse path filter for policy-based routing on iif 2022-04-11 12:10:09 +02:00
nft_flow_offload.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2022-05-19 11:23:59 -07:00
nft_fwd_netdev.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_hash.c netfilter: nft_hash: track register operations 2022-03-20 00:29:47 +01:00
nft_immediate.c netfilter: nft_immediate: cancel register tracking for data destination register 2022-03-20 00:29:47 +01:00
nft_last.c netfilter: nf_tables: memcg accounting for dynamically allocated objects 2022-04-05 11:55:46 +02:00
nft_limit.c netfilter: nf_tables: memcg accounting for dynamically allocated objects 2022-04-05 11:55:46 +02:00
nft_log.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_lookup.c netfilter: nft_lookup: only cancel tracking for clobbered dregs 2022-03-20 00:29:46 +01:00
nft_masq.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_meta.c netfilter: nft_meta: extend reduce support to bridge family 2022-03-20 00:29:46 +01:00
nft_nat.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_numgen.c netfilter: nft_numgen: cancel register tracking 2022-03-20 00:29:47 +01:00
nft_objref.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_osf.c netfilter: nft_osf: track register operations 2022-03-20 00:29:47 +01:00
nft_payload.c netfilter: nf_tables: cancel tracking for clobbered destination registers 2022-03-20 00:29:46 +01:00
nft_queue.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_quota.c netfilter: nf_tables: memcg accounting for dynamically allocated objects 2022-04-05 11:55:46 +02:00
nft_range.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_redir.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_reject_inet.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_reject_netdev.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_reject.c netfilter: nft_reject: unify reject init and dump into nft_reject 2020-10-31 10:40:42 +01:00
nft_rt.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_set_bitmap.c netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_hash.c netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: remove redundant pointer lt 2021-12-24 16:58:17 +01:00
nft_set_pipapo_avx2.h netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_pipapo.c netfilter: nft_set_pipapo: allocate pcpu scratch maps on clone 2022-01-06 10:43:24 +01:00
nft_set_pipapo.h netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_rbtree.c netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion 2022-04-22 15:49:15 +02:00
nft_socket.c netfilter: nft_socket: only do sk lookups when indev is available 2022-04-28 16:15:23 +02:00
nft_synproxy.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_tproxy.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_tunnel.c netfilter: nft_tunnel: track register operations 2022-03-20 00:29:47 +01:00
nft_xfrm.c netfilter: nft_xfrm: track register operations 2022-03-20 00:29:47 +01:00
utils.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-10-30 12:57:39 +01:00
x_tables.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
xt_addrtype.c
xt_AUDIT.c netfilter: fix clang-12 fmt string warnings 2021-06-01 23:53:51 +02:00
xt_bpf.c bpf: Refactor BPF_PROG_RUN into a function 2021-08-17 00:45:07 +02:00
xt_cgroup.c
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c
xt_connlabel.c
xt_connlimit.c
xt_connmark.c netfilter: Replace HTTP links with HTTPS ones 2020-07-29 20:09:18 +02:00
xt_CONNSECMARK.c netfilter: Replace HTTP links with HTTPS ones 2020-07-29 20:09:18 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: conntrack: convert to refcount_t api 2022-01-09 23:30:13 +01:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c netfilter: xt_HMARK: Use ip_is_fragment() helper 2020-08-28 19:55:51 +02:00
xt_IDLETIMER.c netfilter: xt_IDLETIMER: replace snprintf in show functions with sysfs_emit 2021-11-08 12:14:05 +01:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c
xt_length.c
xt_limit.c netfilter: x_tables: improve limit_mt scalability 2021-05-29 01:04:52 +02:00
xt_LOG.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
xt_mac.c
xt_mark.c
xt_MASQUERADE.c
xt_multiport.c
xt_nat.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
xt_NETMAP.c
xt_nfacct.c netfilter: Remove unnecessary conversion to bool 2020-12-01 09:45:29 +01:00
xt_NFLOG.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
xt_NFQUEUE.c
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c net: sched: Merge Qdisc::bstats and Qdisc::cpu_bstats data types 2021-10-18 12:54:41 +01:00
xt_realm.c
xt_recent.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
xt_REDIRECT.c
xt_repldata.h
xt_sctp.c
xt_SECMARK.c netfilter: xt_SECMARK: add new revision to fix structure layout 2021-05-03 23:02:44 +02:00
xt_set.c
xt_socket.c netfilter: xt_socket: missing ifdef CONFIG_IP6_NF_IPTABLES dependency 2022-02-13 23:55:48 +01:00
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_TEE.c
xt_time.c netfilter: Replace HTTP links with HTTPS ones 2020-07-29 20:09:18 +02:00
xt_TPROXY.c netfilter: disable defrag once its no longer needed 2021-04-26 03:20:07 +02:00
xt_TRACE.c netfilter: nf_log: add module softdeps 2021-03-31 22:34:10 +02:00
xt_u32.c