Patchset of CVE-2024-27020.
Pablo Neira Ayuso (1): netfilter: nf_tables: __nft_expr_type_get() selects specific family type
Ziyang Xuan (1): netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()
net/netfilter/nf_tables_api.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-)
From: Pablo Neira Ayuso pablo@netfilter.org
stable inclusion from stable-v4.19.313 commit 97f097a8091261ffa07c8889550c4026e59b6c14 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5P0 CVE: CVE-2024-27020
--------------------------------
[ Upstream commit 9cff126f73a7025bcb0883189b2bed90010a57d4 ]
In case that there are two types, prefer the family specify extension.
Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Stable-dep-of: f969eb84ce48 ("netfilter: nf_tables: Fix potential data-race in __nft_expr_type_get()") Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com --- net/netfilter/nf_tables_api.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f70fedb98695..6e4bbdea804c 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2034,14 +2034,17 @@ EXPORT_SYMBOL_GPL(nft_unregister_expr); static const struct nft_expr_type *__nft_expr_type_get(u8 family, struct nlattr *nla) { - const struct nft_expr_type *type; + const struct nft_expr_type *type, *candidate = NULL;
list_for_each_entry(type, &nf_tables_expressions, list) { - if (!nla_strcmp(nla, type->name) && - (!type->family || type->family == family)) - return type; + if (!nla_strcmp(nla, type->name)) { + if (!type->family && !candidate) + candidate = type; + else if (type->family == family) + candidate = type; + } } - return NULL; + return candidate; }
static const struct nft_expr_type *nft_expr_type_get(struct net *net,
stable inclusion from stable-v4.19.313 commit 939109c0a8e2a006a6cc8209e262d25065f4403a category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9L5P0 CVE: CVE-2024-27020
--------------------------------
[ Upstream commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf ]
nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry.
Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process.
Fixes: ef1f7df9170d ("netfilter: nf_tables: expression ops overloading") Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com Signed-off-by: Pablo Neira Ayuso pablo@netfilter.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Ziyang Xuan william.xuanziyang@huawei.com --- net/netfilter/nf_tables_api.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 6e4bbdea804c..8cbb6e06e6aa 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2036,7 +2036,7 @@ static const struct nft_expr_type *__nft_expr_type_get(u8 family, { const struct nft_expr_type *type, *candidate = NULL;
- list_for_each_entry(type, &nf_tables_expressions, list) { + list_for_each_entry_rcu(type, &nf_tables_expressions, list) { if (!nla_strcmp(nla, type->name)) { if (!type->family && !candidate) candidate = type; @@ -2056,9 +2056,13 @@ static const struct nft_expr_type *nft_expr_type_get(struct net *net, if (nla == NULL) return ERR_PTR(-EINVAL);
+ rcu_read_lock(); type = __nft_expr_type_get(family, nla); - if (type != NULL && try_module_get(type->owner)) + if (type != NULL && try_module_get(type->owner)) { + rcu_read_unlock(); return type; + } + rcu_read_unlock();
lockdep_nfnl_nft_mutex_not_held(); #ifdef CONFIG_MODULES
-
Ziyang Xuan