From: Thadeu Lima de Souza Cascardo Date: Tue, 26 Jul 2022 17:30:27 +0000 (-0300) Subject: [PATCH 1/3] netfilter: nf_tables: do not allow SET_ID to refer to another table X-Git-Tag: archive/raspbian/5.18.16-1+rpi1^2~24 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=6088a3cf6d94b7a513ed4d531173708a3d8bba7a;p=linux.git [PATCH 1/3] netfilter: nf_tables: do not allow SET_ID to refer to another table When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fixes CVE-2022-2586, also reported as ZDI-CAN-17470. Reported-by: Team Orca of Sea Security (@seasecresponse) Fixes: 958bee14d071 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: Thadeu Lima de Souza Cascardo Gbp-Pq: Topic bugfix/all Gbp-Pq: Name netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch --- diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index de3dc35ce60..fce9a3069f0 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -3840,6 +3840,7 @@ static struct nft_set *nft_set_lookup_byhandle(const struct nft_table *table, } static struct nft_set *nft_set_lookup_byid(const struct net *net, + const struct nft_table *table, const struct nlattr *nla, u8 genmask) { struct nftables_pernet *nft_net = nft_pernet(net); @@ -3851,6 +3852,7 @@ static struct nft_set *nft_set_lookup_byid(const struct net *net, struct nft_set *set = nft_trans_set(trans); if (id == nft_trans_set_id(trans) && + set->table == table && nft_active_genmask(set, genmask)) return set; } @@ -3871,7 +3873,7 @@ struct nft_set *nft_set_lookup_global(const struct net *net, if (!nla_set_id) return set; - set = nft_set_lookup_byid(net, nla_set_id, genmask); + set = nft_set_lookup_byid(net, table, nla_set_id, genmask); } return set; }