On Wed, 19 Jul 2023 21:08:21 +0200
Florian Westphal <fw@xxxxxxxxx> wrote:
> end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
>
> Its possible to add elements that only have a start key
> ("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
>
> Insertion treats this via:
>
> if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
> end = (const u8 *)nft_set_ext_key_end(ext)->data;
> else
> end = start;
>
> but removal side always uses nft_set_ext_key_end().
Oops, right, nft_pipapo_remove() should do exactly the same.
> This is wrong and leads to garbage remaining in the set after removal
> next lookup/insert attempt will give:
>
> BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
> Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
> Call Trace:
> kasan_report+0x105/0x140
> pipapo_get+0x8eb/0xb90
> nft_pipapo_insert+0x1dc/0x1710
> nf_tables_newsetelem+0x31f5/0x4e00
> ..
>
> Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
> Cc: Stefano Brivio <sbrivio@xxxxxxxxxx>
> Reported-by: lonial con <kongln9170@xxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Reviewed-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
Thanks for fixing this!
--
Stefano
