On Tue, Jun 07, 2022 at 09:55:21AM +0530, Ajay Kaher wrote:
> From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
>
> commit 520778042ccca019f3ffa136dd0ca565c486cedd upstream.
>
> Since 3e135cd499bf ("netfilter: nft_dynset: dynamic stateful expression
> instantiation"), it is possible to attach stateful expressions to set
> elements.
>
> cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate
> and destroy phase") introduces conditional destruction on the object to
> accomodate transaction semantics.
>
> nft_expr_init() calls expr->ops->init() first, then check for
> NFT_STATEFUL_EXPR, this stills allows to initialize a non-stateful
> lookup expressions which points to a set, which might lead to UAF since
> the set is not properly detached from the set->binding for this case.
> Anyway, this combination is non-sense from nf_tables perspective.
>
> This patch fixes this problem by checking for NFT_STATEFUL_EXPR before
> expr->ops->init() is called.
>
> The reporter provides a KASAN splat and a poc reproducer (similar to
> those autogenerated by syzbot to report use-after-free errors). It is
> unknown to me if they are using syzbot or if they use similar automated
> tool to locate the bug that they are reporting.
>
> For the record, this is the KASAN splat.
>
> [ 85.431824] ==================================================================
> [ 85.432901] BUG: KASAN: use-after-free in nf_tables_bind_set+0x81b/0xa20
> [ 85.433825] Write of size 8 at addr ffff8880286f0e98 by task poc/776
> [ 85.434756]
> [ 85.434999] CPU: 1 PID: 776 Comm: poc Tainted: G W 5.18.0+ #2
> [ 85.436023] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
>
> Fixes: 0b2d8a7b638b ("netfilter: nf_tables: add helper functions for expression handling")
> Reported-and-tested-by: Aaron Adams <edg-e@xxxxxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> [Ajay: Regenerated the patch for v4.9.y]
> Signed-off-by: Ajay Kaher <akaher@xxxxxxxxxx>
Both now queued up, thanks.
greg k-h
