From d2d2f40fbf1abe9483d94c33cddfd9fb35b1bfe7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 16 Jul 2023 21:24:32 +0200 Subject: [PATCH] 4.14-stable patches added patches: netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch --- ...e_error-to-deal-with-bound-set-chain.patch | 101 ++++++++++++++++++ ...r-path-handling-with-nft_msg_newrule.patch | 73 +++++++++++++ ...ymous-set-if-rule-construction-fails.patch | 33 ++++++ queue-4.14/series | 3 + 4 files changed, 210 insertions(+) create mode 100644 queue-4.14/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch create mode 100644 queue-4.14/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch create mode 100644 queue-4.14/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch diff --git a/queue-4.14/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch b/queue-4.14/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch new file mode 100644 index 00000000000..891f50955ca --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch @@ -0,0 +1,101 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:57:02 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:56:22 +0200 +Subject: netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165623.50304-3-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 26b5a5712eb85e253724e56a54c17f8519bd8e4e ] + +Add a new state to deal with rule expressions deactivation from the +newrule error path, otherwise the anonymous set remains in the list in +inactive state for the next generation. Mark the set/chain transaction +as unbound so the abort path releases this object, set it as inactive in +the next generation so it is not reachable anymore from this transaction +and reference counter is dropped. + +Fixes: 1240eb93f061 ("netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + include/net/netfilter/nf_tables.h | 1 + + net/netfilter/nf_tables_api.c | 26 ++++++++++++++++++++++---- + 2 files changed, 23 insertions(+), 4 deletions(-) + +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -725,6 +725,7 @@ struct nft_expr_type { + + enum nft_trans_phase { + NFT_TRANS_PREPARE, ++ NFT_TRANS_PREPARE_ERROR, + NFT_TRANS_ABORT, + NFT_TRANS_COMMIT, + NFT_TRANS_RELEASE +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -140,7 +140,8 @@ static void nft_trans_destroy(struct nft + kfree(trans); + } + +-static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++static void __nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set, ++ bool bind) + { + struct net *net = ctx->net; + struct nft_trans *trans; +@@ -152,16 +153,26 @@ static void nft_set_trans_bind(const str + switch (trans->msg_type) { + case NFT_MSG_NEWSET: + if (nft_trans_set(trans) == set) +- nft_trans_set_bound(trans) = true; ++ nft_trans_set_bound(trans) = bind; + break; + case NFT_MSG_NEWSETELEM: + if (nft_trans_elem_set(trans) == set) +- nft_trans_elem_set_bound(trans) = true; ++ nft_trans_elem_set_bound(trans) = bind; + break; + } + } + } + ++static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, true); ++} ++ ++static void nft_set_trans_unbind(const struct nft_ctx *ctx, struct nft_set *set) ++{ ++ return __nft_set_trans_bind(ctx, set, false); ++} ++ + static int nf_tables_register_hooks(struct net *net, + const struct nft_table *table, + struct nft_chain *chain, +@@ -2465,7 +2476,7 @@ static int nf_tables_newrule(struct net + return 0; + + err2: +- nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE_ERROR); + nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { +@@ -3446,6 +3457,13 @@ void nf_tables_deactivate_set(const stru + enum nft_trans_phase phase) + { + switch (phase) { ++ case NFT_TRANS_PREPARE_ERROR: ++ nft_set_trans_unbind(ctx, set); ++ if (set->flags & NFT_SET_ANONYMOUS) ++ nft_deactivate_next(ctx->net, set); ++ ++ set->use--; ++ break; + case NFT_TRANS_PREPARE: + if (set->flags & NFT_SET_ANONYMOUS) + nft_deactivate_next(ctx->net, set); diff --git a/queue-4.14/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch b/queue-4.14/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch new file mode 100644 index 00000000000..88018aad6b8 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch @@ -0,0 +1,73 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:56:34 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:56:21 +0200 +Subject: netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165623.50304-2-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 1240eb93f0616b21c675416516ff3d74798fdc97 ] + +In case of error when adding a new rule that refers to an anonymous set, +deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. +Thus, the lookup expression marks anonymous sets as inactive in the next +generation to ensure it is not reachable in this transaction anymore and +decrement the set refcount as introduced by c1592a89942e ("netfilter: +nf_tables: deactivate anonymous set from preparation phase"). The abort +step takes care of undoing the anonymous set. + +This is also consistent with rule deletion, where NFT_TRANS_PREPARE is +used. Note that this error path is exercised in the preparation step of +the commit protocol. This patch replaces nf_tables_rule_release() by the +deactivate and destroy calls, this time with NFT_TRANS_PREPARE. + +Due to this incorrect error handling, it is possible to access a +dangling pointer to the anonymous set that remains in the transaction +list. + +[1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 +[1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 +[1009.379128] Call Trace: +[1009.379132] +[1009.379135] dump_stack_lvl+0x33/0x50 +[1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379191] print_address_description.constprop.0+0x27/0x300 +[1009.379201] kasan_report+0x107/0x120 +[1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] +[1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] +[1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] +[1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] +[1009.379441] ? kasan_unpoison+0x23/0x50 +[1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] +[1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] +[1009.379485] ? __alloc_skb+0xb8/0x1e0 +[1009.379493] ? __alloc_skb+0xb8/0x1e0 +[1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[1009.379509] ? unwind_get_return_address+0x2a/0x40 +[1009.379517] ? write_profile+0xc0/0xc0 +[1009.379524] ? avc_lookup+0x8f/0xc0 +[1009.379532] ? __rcu_read_unlock+0x43/0x60 + +Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -2465,7 +2465,8 @@ static int nf_tables_newrule(struct net + return 0; + + err2: +- nf_tables_rule_release(&ctx, rule); ++ nft_rule_expr_deactivate(&ctx, rule, NFT_TRANS_PREPARE); ++ nf_tables_rule_destroy(&ctx, rule); + err1: + for (i = 0; i < n; i++) { + if (info[i].ops != NULL) diff --git a/queue-4.14/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch b/queue-4.14/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch new file mode 100644 index 00000000000..c2fc44b8283 --- /dev/null +++ b/queue-4.14/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch @@ -0,0 +1,33 @@ +From stable-owner@vger.kernel.org Wed Jul 5 18:57:02 2023 +From: Pablo Neira Ayuso +Date: Wed, 5 Jul 2023 18:56:23 +0200 +Subject: netfilter: nf_tables: unbind non-anonymous set if rule construction fails +To: netfilter-devel@vger.kernel.org +Cc: sashal@kernel.org, gregkh@linuxfoundation.org, stable@vger.kernel.org +Message-ID: <20230705165623.50304-4-pablo@netfilter.org> + +From: Pablo Neira Ayuso + +[ 3e70489721b6c870252c9082c496703677240f53 ] + +Otherwise a dangling reference to a rule object that is gone remains +in the set binding list. + +Fixes: 26b5a5712eb8 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3461,6 +3461,8 @@ void nf_tables_deactivate_set(const stru + nft_set_trans_unbind(ctx, set); + if (set->flags & NFT_SET_ANONYMOUS) + nft_deactivate_next(ctx->net, set); ++ else ++ list_del_rcu(&binding->list); + + set->use--; + break; diff --git a/queue-4.14/series b/queue-4.14/series index a0d349dc576..e70d6124afb 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -84,3 +84,6 @@ arm-orion5x-fix-d2net-gpio-initialization.patch spi-spi-fsl-spi-remove-always-true-conditional-in-fsl_spi_do_one_msg.patch spi-spi-fsl-spi-relax-message-sanity-checking-a-little.patch spi-spi-fsl-spi-allow-changing-bits_per_word-while-cs-is-still-active.patch +netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch +netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch +netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch -- 2.47.3