Add several sanity checks for nft_set_desc_concat_parse():
- validate desc->field_count not larger than desc->field_len array.
- field length cannot be larger than desc->field_len (ie. U8_MAX)
- total length of the concatenation cannot be larger than register array.
Joint work with Florian Westphal.
Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields")
Reported-by: <email address hidden>
Reviewed-by: Stefano Brivio <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit fecf31ee395b0295f2d7260aa29946b7605f7c85 net.git)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Andrea Righi <email address hidden>
Acked-by: Stefan Bader <email address hidden>
516ec4d...
by
Pablo Neira Ayuso <email address hidden>
netfilter: nf_tables: disallow non-stateful expression in sets earlier
CVE-2022-1966
Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
instantiation"), it is possible to attach stateful expressions to set
elements.
cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
and destroy phase") introduces conditional destruction on the object to
accomodate transaction semantics.
nft_expr_init() calls expr->ops->init() first, then check for
NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
lookup expressions which points to a set, which might lead to UAF since
the set is not properly detached from the set->binding for this case.
Anyway, this combination is non-sense from nf_tables perspective.
This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
expr->ops->init() is called.
The reporter provides a KASAN splat and a poc reproducer (similar to
those autogenerated by syzbot to report use-after-free errors). It is
unknown to me if they are using syzbot or if they use similar automated
tool to locate the bug that they are reporting.
For the record, this is the KASAN splat.
[ 85.431824] ==================================================================
[ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
[ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
[ 85.434756]
[ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2
[ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
Reported-and-tested-by: Aaron Adams <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
(cherry picked from commit 520778042ccca019f3ffa136dd0ca565c486cedd net.git)
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Andrea Righi <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Ignore: yes
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
15bc41c...
by
Stephen Brennan <email address hidden>
UBUNTU: SAUCE: debug: Lock down kgdb
KGDB and KDB allow read and write access to kernel memory, and thus
should not be allowed during lockdown. An attacker with access to a
serial port (for example, via a hypervisor console, which some cloud
vendors provide over the network) could trigger the debugger and use it
to bypass lockdown. Ensure KDB and KGDB cannot be used during lockdown.
This fixes CVE-2022-21499.
Signed-off-by: Stephen Brennan <email address hidden>
CVE-2022-21499
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Kamal Mostafa <email address hidden>
Acked-by: Dimitri John Ledkov <email address hidden>
