netfilter: nf_tables: do not allow SET_ID to refer to another table

mainline inclusion from mainline-v6.0-rc1 commit 470ee20e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5MEZD CVE: CVE-2022-2586 -------------------------------- When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Reported-by: Team Orca of Sea Security (@seasecresponse) Fixes: 958bee14 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: N Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Cc: <stable@vger.kernel.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> conflict: net/netfilter/nf_tables_api.c Signed-off-by: N Lu Wei <luwei32@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>

netfilter: nf_tables: do not allow SET_ID to refer to another table
mainline inclusion from mainline-v6.0-rc1 commit 470ee20e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5MEZD CVE: CVE-2022-2586 -------------------------------- When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Reported-by: Team Orca of Sea Security (@seasecresponse) Fixes: 958bee14 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: N Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Cc: <stable@vger.kernel.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org> conflict: net/netfilter/nf_tables_api.c Signed-off-by: N Lu Wei <luwei32@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Reviewed-by: N Wang Weiyang <wangweiyang2@huawei.com> Signed-off-by: N Yongqiang Liu <liuyongqiang13@huawei.com>
a97e4220 · Thadeu Lima de Souza Cascardo · Yongqiang Liu · 6586edc6 · a97e4220
隐藏空白更改
内联并排

Showing with 3 addition and 1 deletion

net/netfilter/nf_tables_api.c net/netfilter/nf_tables_api.c +3 -1

未找到文件。
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3039,6 +3039,7 @@ static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table,
 }

 static struct nft_set *nft_set_lookup_byid(const struct net *net,
+					   const struct nft_table *table,
 					   const struct nlattr *nla, u8 genmask)
 {
 	struct nft_trans *trans;
@@ -3049,6 +3050,7 @@ static struct nft_set *nft_set_lookup_byid(const struct net *net,
 			struct nft_set *set = nft_trans_set(trans);

 			if (id == nft_trans_set_id(trans) &&
+			    set->table == table &&
 			    nft_active_genmask(set, genmask))
 				return set;
 		}
@@ -3069,7 +3071,7 @@ struct nft_set *nft_set_lookup_global(const struct net *net,
 		if (!nla_set_id)
 			return set;

-		set = nft_set_lookup_byid(net, nla_set_id, genmask);
+		set = nft_set_lookup_byid(net, table, nla_set_id, genmask);
 	}
 	return set;
 }