Patch "netfilter: nft_set_pipapo: fix improper element removal" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 Jul 2023 21:39:11 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nft_set_pipapo: fix improper element removal

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nft_set_pipapo-fix-improper-element-remova.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 83c0d8d2e1df2dea06f0b2bf34a73af311411a76
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Wed Jul 19 21:08:21 2023 +0200

    netfilter: nft_set_pipapo: fix improper element removal
    
    [ Upstream commit 87b5a5c209405cb6b57424cdfa226a6dbd349232 ]
    
    end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
    
    Its possible to add elements that only have a start key
    ("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
    
    Insertion treats this via:
    
    if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
       end = (const u8 *)nft_set_ext_key_end(ext)->data;
    else
       end = start;
    
    but removal side always uses nft_set_ext_key_end().
    This is wrong and leads to garbage remaining in the set after removal
    next lookup/insert attempt will give:
    
    BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
    Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
    Call Trace:
     kasan_report+0x105/0x140
     pipapo_get+0x8eb/0xb90
     nft_pipapo_insert+0x1dc/0x1710
     nf_tables_newsetelem+0x31f5/0x4e00
     ..
    
    Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
    Reported-by: lonial con <kongln9170@xxxxxxxxx>
    Reviewed-by: Stefano Brivio <sbrivio@xxxxxxxxxx>
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c
index 0452ee586c1cc..a81829c10feab 100644
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1930,7 +1930,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set,
 		int i, start, rules_fx;
 
 		match_start = data;
-		match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
+
+		if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END))
+			match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data;
+		else
+			match_end = data;
 
 		start = first_rule;
 		rules_fx = rules_f0;






