Patch "netfilter: nf_tables: do not allow RULE_ID to refer to another chain" has been added to the 4.19-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: do not allow RULE_ID to refer to another chain

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-do-not-allow-rule_id-to-refer-to.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit de1a1cdba5dfd25a98b1476e1f544e7331b24854
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Tue May 16 17:06:13 2023 +0200

    netfilter: nf_tables: do not allow RULE_ID to refer to another chain
    
    [ 36d5b2913219ac853908b0f1c664345e04313856 ]
    
    When doing lookups for rules on the same batch by using its ID, a rule from
    a different chain can be used. If a rule is added to a chain but tries to
    be positioned next to a rule from a different chain, it will be linked to
    chain2, but the use counter on chain1 would be the one to be incremented.
    
    When looking for rules by ID, use the chain that was used for the lookup by
    name. The chain used in the context copied to the transaction needs to
    match that same chain. That way, struct nft_rule does not need to get
    enlarged with another member.
    
    Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
    Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule")
    Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
    Cc: <stable@xxxxxxxxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 5cafa90f9d807..62bc4cd0b7bec 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2769,6 +2769,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
 }
 
 static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+					     const struct nft_chain *chain,
 					     const struct nlattr *nla)
 {
 	u32 id = ntohl(nla_get_be32(nla));
@@ -2778,6 +2779,7 @@ static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
 		struct nft_rule *rule = nft_trans_rule(trans);
 
 		if (trans->msg_type == NFT_MSG_NEWRULE &&
+		    trans->ctx.chain == chain &&
 		    id == nft_trans_rule_id(trans))
 			return rule;
 	}
@@ -2824,7 +2826,7 @@ static int nf_tables_delrule(struct net *net, struct sock *nlsk,
 
 			err = nft_delrule(&ctx, rule);
 		} else if (nla[NFTA_RULE_ID]) {
-			rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
+			rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
 			if (IS_ERR(rule)) {
 				NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_ID]);
 				return PTR_ERR(rule);