APPLIED: [SRU Focal 1/1] netfilter: nf_tables: stricter validation of element data

Stefan Bader stefan.bader at canonical.com
Mon Aug 1 13:20:18 UTC 2022 

On 14.07.22 23:28, Thadeu Lima de Souza Cascardo wrote:
> From: Pablo Neira Ayuso <pablo at netfilter.org>
> 
> Make sure element data type and length do not mismatch the one specified
> by the set declaration.
> 
> Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / data")
> Reported-by: Hugues ANGUELKOV <hanguelkov at randorisec.fr>
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> CVE-2022-34918
> (backported from commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6)
> [cengizcan: target function does not exist until 5.8 so follow history
> backwards, find previous place of length check and adapt the change for
> 5.4]
> Signed-off-by: Cengiz Can <cengiz.can at canonical.com>
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---

Applied to focal:linux/master-next. Thanks.

-Stefan

>   net/netfilter/nf_tables_api.c | 9 ++++++++-
>   1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 24f18d6a0a50..54efb96705e5 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -4531,6 +4531,7 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
>   	struct nft_data data;
>   	enum nft_registers dreg;
>   	struct nft_trans *trans;
> +	u32 dtype;
>   	u32 flags = 0;
>   	u64 timeout;
>   	u64 expiration;
> @@ -4630,7 +4631,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set,
>   			goto err2;
>   
>   		err = -EINVAL;
> -		if (set->dtype != NFT_DATA_VERDICT && d2.len != set->dlen)
> +
> +		if (set->dtype == NFT_DATA_VERDICT)
> +			dtype = NFT_DATA_VERDICT;
> +		else
> +			dtype = NFT_DATA_VALUE;
> +
> +		if (dtype != d2.type || set->dlen != d2.len)
>   			goto err3;
>   
>   		dreg = nft_type_to_reg(set->dtype);

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220801/994d6395/attachment.sig>

More information about the kernel-team mailing list