netfilter: nf_tables: do not allow SET_ID to refer to another table
stable inclusion from stable-v5.10.137 commit 1a4b18b1ff11ba26f9a852019d674fde9d1d1cff category: bugfix bugzilla: 187457, https://gitee.com/src-openeuler/kernel/issues/I5MEZD CVE: CVE-2022-2586 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=1a4b18b1ff11ba26f9a852019d674fde9d1d1cff -------------------------------- commit 470ee20e upstream. When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Reported-by: Team Orca of Sea Security (@seasecresponse) Fixes: 958bee14 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: NThadeu Lima de Souza Cascardo <cascardo@canonical.com> Cc: <stable@vger.kernel.org> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: NLu Wei <luwei32@huawei.com> Reviewed-by: NWei Yongjun <weiyongjun1@huawei.com> Reviewed-by: NYue Haibing <yuehaibing@huawei.com> Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
Showing
想要评论请 注册 或 登录