Patch "netfilter: nf_tables: disallow jump to implicit chain from set element" has been added to the 5.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sat, 13 Aug 2022 17:21:57 +0200

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: disallow jump to implicit chain from set element

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-disallow-jump-to-implicit-chain-from-set-element.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From f323ef3a0d49e147365284bc1f02212e617b7f09 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Mon, 8 Aug 2022 19:30:07 +0200
Subject: netfilter: nf_tables: disallow jump to implicit chain from set element

From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>

commit f323ef3a0d49e147365284bc1f02212e617b7f09 upstream.

Extend struct nft_data_desc to add a flag field that specifies
nft_data_init() is being called for set element data.

Use it to disallow jump to implicit chain from set element, only jump
to chain via immediate expression is allowed.

Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 include/net/netfilter/nf_tables.h |    5 +++++
 net/netfilter/nf_tables_api.c     |    4 ++++
 2 files changed, 9 insertions(+)

--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -206,10 +206,15 @@ struct nft_ctx {
 	bool				report;
 };
 
+enum nft_data_desc_flags {
+	NFT_DATA_DESC_SETELEM	= (1 << 0),
+};
+
 struct nft_data_desc {
 	enum nft_data_types		type;
 	unsigned int			size;
 	unsigned int			len;
+	unsigned int			flags;
 };
 
 int nft_data_init(const struct nft_ctx *ctx, struct nft_data *data,
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5226,6 +5226,7 @@ static int nft_setelem_parse_data(struct
 	desc->type = dtype;
 	desc->size = NFT_DATA_VALUE_MAXLEN;
 	desc->len = set->dlen;
+	desc->flags = NFT_DATA_DESC_SETELEM;
 
 	return nft_data_init(ctx, data, desc, attr);
 }
@@ -9611,6 +9612,9 @@ static int nft_verdict_init(const struct
 			return PTR_ERR(chain);
 		if (nft_is_base_chain(chain))
 			return -EOPNOTSUPP;
+		if (desc->flags & NFT_DATA_DESC_SETELEM &&
+		    chain->flags & NFT_CHAIN_BINDING)
+			return -EINVAL;
 
 		chain->use++;
 		data->verdict.chain = chain;


Patches currently in stable-queue which might be from pablo@xxxxxxxxxxxxx are

queue-5.19/netfilter-nf_tables-do-not-allow-chain_id-to-refer-to-another-table.patch
queue-5.19/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch
queue-5.19/netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch
queue-5.19/netfilter-nf_tables-upfront-validation-of-data-via-nft_data_init.patch
queue-5.19/netfilter-nf_tables-disallow-jump-to-implicit-chain-from-set-element.patch
queue-5.19/netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch






