From bdeb7f1c4651240043b0b8a2a5432fc9760cfadf Mon Sep 17 00:00:00 2001

From: Joe Lawrence <joe.lawrence@redhat.com>

Date: Wed, 15 Jun 2022 16:10:31 -0400

Subject: [KPATCH CVE-2022-1966] kpatch fixes for CVE-2022-1966

Kernels:

3.10.0-1160.36.2.el7

3.10.0-1160.41.1.el7

3.10.0-1160.42.2.el7

3.10.0-1160.45.1.el7

3.10.0-1160.49.1.el7

3.10.0-1160.53.1.el7

3.10.0-1160.59.1.el7

3.10.0-1160.62.1.el7

3.10.0-1160.66.1.el7

Changes since last build:

arches: x86_64 ppc64le

nf_tables_api.o: changed function: nft_expr_init

nft_dynset.o: changed function: nft_dynset_init

---------------------------

Kpatch-MR: https://gitlab.com/redhat/prdsc/rhel/src/kpatch/rhel-7/-/merge_requests/42

Approved-by: Yannick Cote (@ycote1)

Modifications: none

commit c511e60bebd0546f8ec47a3c1691ab01d262b8e4

Author: Phil Sutter <psutter@redhat.com>

Date:   Fri Jun 3 16:54:42 2022 +0200

    netfilter: nf_tables: fix memory leak if expr init fails

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2093000

    Upstream Status: commit 6cafaf4764a32

    commit 6cafaf4764a32597c2195aa5411b87728e1fde8a

    Author: Liping Zhang <liping.zhang@spreadtrum.com>

    Date:   Mon Jun 20 21:11:45 2016 +0800

        netfilter: nf_tables: fix memory leak if expr init fails

        If expr init fails then we need to free it.

        So when the user add a nft rule as follows:

          # nft add rule filter input tcp dport 22 flow table ssh \

            { ip saddr limit rate 0/second }

        memory leak will happen.

        Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>

        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

    Signed-off-by: Phil Sutter <psutter@redhat.com>

commit 4a4cc18bcf8f43c93dbf39cb52308dfaea4ec346

Author: Phil Sutter <psutter@redhat.com>

Date:   Fri Jun 3 16:54:43 2022 +0200

    netfilter: nf_tables: disallow non-stateful expression in sets earlier

    Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2093000

    Upstream Status: net.git commit 520778042ccca

    CVE: CVE-2022-1966

    Conflicts:

     * RHEL7 does not have nft_set_elem_expr_alloc(), remove

       NFT_EXPR_STATEFUL check from nft_dynset_init() instead

     * Context change in nft_expr_init() as RHEL7 does not have .release_ops

     * Adjusted new NFT_EXPR_STATEFUL check as upstream renamed 'info' into

       'expr_info'

    commit 520778042ccca019f3ffa136dd0ca565c486cedd

    Author: Pablo Neira Ayuso <pablo@netfilter.org>

    Date:   Wed May 25 10:36:38 2022 +0200

        netfilter: nf_tables: disallow non-stateful expression in sets earlier

        Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression

        instantiation"), it is possible to attach stateful expressions to set

        elements.

        cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate

        and destroy phase") introduces conditional destruction on the object to

        accomodate transaction semantics.

        nft_expr_init() calls expr->ops->init() first, then check for

        NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful

        lookup expressions which points to a set, which might lead to UAF since

        the set is not properly detached from the set->binding for this case.

        Anyway, this combination is non-sense from nf_tables perspective.

        This patch fixes this problem by checking for NFT_STATEFUL_EXPR before

        expr->ops->init() is called.

        The reporter provides a KASAN splat and a poc reproducer (similar to

        those autogenerated by syzbot to report use-after-free errors). It is

        unknown to me if they are using syzbot or if they use similar automated

        tool to locate the bug that they are reporting.

        For the record, this is the KASAN splat.

        [   85.431824] ==================================================================

        [   85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20

        [   85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776

        [   85.434756]

        [   85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G        W         5.18.0+ #2

        [   85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014

        Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")

        Reported-and-tested-by: Aaron Adams <edg-e@nccgroup.com>

        Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

    Signed-off-by: Phil Sutter <psutter@redhat.com>

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>

---

 net/netfilter/nf_tables_api.c | 16 +++++++++++-----

 net/netfilter/nft_dynset.c    |  4 ----

 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

index 0f46d90715a3..44738b987690 100644

--- a/net/netfilter/nf_tables_api.c

+++ b/net/netfilter/nf_tables_api.c

@@ -1739,21 +1739,27 @@ struct nft_expr *nft_expr_init(const struct nft_ctx *ctx,

 	err = nf_tables_expr_parse(ctx, nla, &info;;

 	if (err < 0)

-		goto err1;

+		goto err_expr_parse;

+

+	err = -EOPNOTSUPP;

+	if (!(info.ops->type->flags & NFT_EXPR_STATEFUL))

+		goto err_expr_stateful;

 	err = -ENOMEM;

 	expr = kzalloc(info.ops->size, GFP_KERNEL);

 	if (expr == NULL)

-		goto err2;

+		goto err_expr_stateful;

 	err = nf_tables_newexpr(ctx, &info, expr);

 	if (err < 0)

-		goto err2;

+		goto err_expr_new;

 	return expr;

-err2:

+err_expr_new:

+	kfree(expr);

+err_expr_stateful:

 	module_put(info.ops->type->owner);

-err1:

+err_expr_parse:

 	return ERR_PTR(err);

 }

diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c

index 3f9f8e82716e..0cf187230050 100644

--- a/net/netfilter/nft_dynset.c

+++ b/net/netfilter/nft_dynset.c

@@ -174,10 +174,6 @@ static int nft_dynset_init(const struct nft_ctx *ctx,

 		priv->expr = nft_expr_init(ctx, tb[NFTA_DYNSET_EXPR]);

 		if (IS_ERR(priv->expr))

 			return PTR_ERR(priv->expr);

-

-		err = -EOPNOTSUPP;

-		if (!(priv->expr->ops->type->flags & NFT_EXPR_STATEFUL))

-			goto err1;

 	} else if (set->flags & NFT_SET_EVAL)

 		return -EINVAL;

-- 

2.34.3