Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
40a4a01...
by
Pablo Neira Ayuso <email address hidden>
netfilter: nf_tables: disallow non-stateful expression in sets earlier
CVE-2022-1966
Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
instantiation"), it is possible to attach stateful expressions to set
elements.
cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
and destroy phase") introduces conditional destruction on the object to
accomodate transaction semantics.
nft_expr_init() calls expr->ops->init() first, then check for
NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
lookup expressions which points to a set, which might lead to UAF since
the set is not properly detached from the set->binding for this case.
Anyway, this combination is non-sense from nf_tables perspective.
This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
expr->ops->init() is called.
The reporter provides a KASAN splat and a poc reproducer (similar to
those autogenerated by syzbot to report use-after-free errors). It is
unknown to me if they are using syzbot or if they use similar automated
tool to locate the bug that they are reporting.
For the record, this is the KASAN splat.
[ 85.431824] ==================================================================
[ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
[ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
[ 85.434756]
[ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2
[ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
Reported-and-tested-by: Aaron Adams <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(backported from commit 520778042ccca019f3ffa136dd0ca565c486cedd net.git)
[cascardo: struct nft_expr_info info was renamed to expr_info]
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Andrea Righi <email address hidden>
Acked-by: Stefan Bader <email address hidden>
95f32a7...
by
Pablo Neira Ayuso <email address hidden>
Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
8d210c6...
by
Stephen Brennan <email address hidden>
UBUNTU: SAUCE: debug: Lock down kgdb
KGDB and KDB allow read and write access to kernel memory, and thus
should not be allowed during lockdown. An attacker with access to a
serial port (for example, via a hypervisor console, which some cloud
vendors provide over the network) could trigger the debugger and use it
to bypass lockdown. Ensure KDB and KGDB cannot be used during lockdown.
This fixes CVE-2022-21499.
Signed-off-by: Stephen Brennan <email address hidden>
CVE-2022-21499
[cascardo: conflict fixup on include/security.h,
descriptions have been moved from security/lockdown/lockdown.c to
security/security.c]
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Add PCIE_LNKCAP2_SLS2SPEED macro for transforming raw Link Capabilities 2
values to the pci_bus_speed. This is next to PCIE_SPEED2MBS_ENC() to make
it easier to update both places when adding support for new speeds.
(cherry picked from commit 757bfaa2c3515803dde9a6728bbf8c8a3c5f098a)
Signed-off-by: Ian May <email address hidden>
Acked-by: Tim Gardner <email address hidden>
Acked-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Stefan Bader <email address hidden>