Pablo Neira Ayuso 44ebe988cb netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE ... [ Upstream commit 1240eb93f0 ] In case of error when adding a new rule that refers to an anonymous set, deactivate expressions via NFT_TRANS_PREPARE state, not NFT_TRANS_RELEASE. Thus, the lookup expression marks anonymous sets as inactive in the next generation to ensure it is not reachable in this transaction anymore and decrement the set refcount as introduced by c1592a8994 ("netfilter: nf_tables: deactivate anonymous set from preparation phase"). The abort step takes care of undoing the anonymous set. This is also consistent with rule deletion, where NFT_TRANS_PREPARE is used. Note that this error path is exercised in the preparation step of the commit protocol. This patch replaces nf_tables_rule_release() by the deactivate and destroy calls, this time with NFT_TRANS_PREPARE. Due to this incorrect error handling, it is possible to access a dangling pointer to the anonymous set that remains in the transaction list. [1009.379054] BUG: KASAN: use-after-free in nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379106] Read of size 8 at addr ffff88816c4c8020 by task nft-rule-add/137110 [1009.379116] CPU: 7 PID: 137110 Comm: nft-rule-add Not tainted 6.4.0-rc4+ #256 [1009.379128] Call Trace: [1009.379132] <TASK> [1009.379135] dump_stack_lvl+0x33/0x50 [1009.379146] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379191] print_address_description.constprop.0+0x27/0x300 [1009.379201] kasan_report+0x107/0x120 [1009.379210] ? nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379255] nft_set_lookup_global+0x147/0x1a0 [nf_tables] [1009.379302] nft_lookup_init+0xa5/0x270 [nf_tables] [1009.379350] nf_tables_newrule+0x698/0xe50 [nf_tables] [1009.379397] ? nf_tables_rule_release+0xe0/0xe0 [nf_tables] [1009.379441] ? kasan_unpoison+0x23/0x50 [1009.379450] nfnetlink_rcv_batch+0x97c/0xd90 [nfnetlink] [1009.379470] ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink] [1009.379485] ? __alloc_skb+0xb8/0x1e0 [1009.379493] ? __alloc_skb+0xb8/0x1e0 [1009.379502] ? entry_SYSCALL_64_after_hwframe+0x46/0xb0 [1009.379509] ? unwind_get_return_address+0x2a/0x40 [1009.379517] ? write_profile+0xc0/0xc0 [1009.379524] ? avc_lookup+0x8f/0xc0 [1009.379532] ? __rcu_read_unlock+0x43/0x60 Fixes: 958bee14d0 ("netfilter: nf_tables: use new transaction infrastructure to handle sets") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-06-21 15:59:16 +02:00
..
6lowpan
9p	9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition	2023-04-20 12:13:53 +02:00
802	mrp: introduce active flags to prevent UAF when applicant uninit	2022-12-31 13:14:42 +01:00
8021q	vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()	2023-05-24 17:36:52 +01:00
appletalk
atm	atm: hide unused procfs functions	2023-06-09 10:32:26 +02:00
ax25	net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg	2022-06-22 14:22:01 +02:00
batman-adv	batman-adv: Broken sync while rescheduling delayed work	2023-06-14 11:13:04 +02:00
bluetooth	Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk	2023-06-14 11:13:06 +02:00
bpf	bpf: Move skb->len == 0 checks into __bpf_redirect	2022-12-31 13:14:11 +01:00
bpfilter
bridge	bridge: always declare tunnel functions	2023-05-24 17:36:52 +01:00
caif	net: caif: Fix use-after-free in cfusbl_device_notify()	2023-03-17 08:48:54 +01:00
can	can: j1939: avoid possible use-after-free when j1939_can_rx_register fails	2023-06-14 11:13:06 +02:00
ceph	libceph: fix potential use-after-free on linger ping and resends	2022-05-25 09:57:28 +02:00
core	Remove DECnet support from kernel	2023-06-21 15:59:15 +02:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-08 19:12:52 +01:00
dccp	dccp: Call inet6_destroy_sock() via sk->sk_destruct().	2023-04-26 13:51:54 +02:00
dns_resolver
dsa	net: dsa: tag_brcm: legacy: fix daisy-chained switches	2023-03-30 12:47:48 +02:00
ethernet
ethtool	ethtool: Fix uninitialized number of lanes	2023-05-17 11:50:18 +02:00
hsr	hsr: ratelimit only when errors are printed	2023-04-05 11:25:02 +02:00
ieee802154	net: ieee802154: fix error return code in dgram_bind()	2022-11-03 23:59:14 +09:00
ife
ipv4	tcp: Return user_mss for TCP_MAXSEG in CLOSE/LISTEN state if user_mss set	2023-06-09 10:32:17 +02:00
ipv6	ipv6: rpl: Fix Route of Death.	2023-06-14 11:13:02 +02:00
iucv	net/iucv: Fix size of interrupt data	2023-03-22 13:31:28 +01:00
kcm	kcm: close race conditions on sk_receive_queue	2022-11-26 09:24:50 +01:00
key	af_key: Reject optional tunnel/BEET mode templates in outbound policies	2023-05-24 17:36:49 +01:00
l2tp	inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().	2023-04-26 13:51:54 +02:00
l3mdev	l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu	2022-04-27 14:38:53 +02:00
lapb
llc	net: deal with most data-races in sk_wait_event()	2023-05-24 17:36:42 +01:00
mac80211	wifi: mac80211: simplify chanctx allocation	2023-06-09 10:32:25 +02:00
mac802154	mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()	2022-12-14 11:37:25 +01:00
mctp	net: mctp: purge receive queues on sk destruction	2023-02-06 07:59:02 +01:00
mpls	net: mpls: fix stale pointer if allocation fails during device rename	2023-02-22 12:57:09 +01:00
mptcp	inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().	2023-04-26 13:51:54 +02:00
ncsi	net/ncsi: clear Tx enable mode when handling a Config required AEN	2023-05-17 11:50:16 +02:00
netfilter	netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE	2023-06-21 15:59:16 +02:00
netlabel	netlabel: fix out-of-bounds memory accesses	2022-04-13 20:59:10 +02:00
netlink	net/netlink: fix NETLINK_LIST_MEMBERSHIPS length report	2023-06-09 10:32:18 +02:00
netrom	netrom: fix info-leak in nr_write_internal()	2023-06-09 10:32:16 +02:00
nfc	nfc: change order inside nfc_se_io error path	2023-03-17 08:48:49 +01:00
nsh	net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()	2023-05-24 17:36:51 +01:00
openvswitch	net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()	2023-02-22 12:57:09 +01:00
packet	af_packet: do not use READ_ONCE() in packet_bind()	2023-06-09 10:32:17 +02:00
phonet	phonet: refcount leak in pep_sock_accep	2022-01-11 15:35:16 +01:00
psample
qrtr	net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()	2023-04-20 12:13:53 +02:00
rds	rds: rds_rm_zerocopy_callback() correct order for list_add_tail()	2023-03-10 09:39:16 +01:00
rfkill	rfkill: make new event layout opt-in	2022-04-08 14:23:00 +02:00
rose	net/rose: Fix to not accept on connected socket	2023-02-22 12:57:02 +01:00
rxrpc	rxrpc: Fix hard call timeout units	2023-05-17 11:50:17 +02:00
sched	net: sched: fix possible refcount leak in tc_chain_tmplt_add()	2023-06-14 11:13:03 +02:00
sctp	sctp: fix an issue that plpmtu can never go to complete state	2023-05-30 13:55:33 +01:00
smc	net/smc: Avoid to access invalid RMBs' MRs in SMCRv1 ADD LINK CONT	2023-06-14 11:13:01 +02:00
strparser	bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding	2021-11-18 19:17:11 +01:00
sunrpc	SUNRPC: Fix trace_svc_register() call site	2023-05-24 17:36:51 +01:00
switchdev
tipc	tipc: check the bearer min mtu properly when setting it by netlink	2023-05-24 17:36:51 +01:00
tls	net: deal with most data-races in sk_wait_event()	2023-05-24 17:36:42 +01:00
unix	af_unix: Fix data races around sk->sk_shutdown.	2023-05-24 17:36:42 +01:00
vmw_vsock	vsock: avoid to close connected socket after the timeout	2023-05-24 17:36:49 +01:00
wireless	wifi: cfg80211: fix double lock bug in reg_wdev_chan_valid()	2023-06-21 15:59:14 +02:00
x25	net/x25: Fix to not accept on connected socket	2023-02-09 11:26:40 +01:00
xdp	xsk: Fix unaligned descriptor validation	2023-05-11 23:00:27 +09:00
xfrm	xfrm: Check if_id in inbound policy/secpath match	2023-06-09 10:32:22 +02:00
compat.c
devres.c
Kconfig	Remove DECnet support from kernel	2023-06-21 15:59:15 +02:00
Makefile	Remove DECnet support from kernel	2023-06-21 15:59:15 +02:00
socket.c	net: annotate sk->sk_err write from do_recvmmsg()	2023-05-24 17:36:42 +01:00
sysctl_net.c