cve/published/2022/CVE-2022-48935.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48935: netfilter: nf_tables: unregister flowtable hooks on netns exit

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 netfilter: nf_tables: unregister flowtable hooks on netns exit

 Unregister flowtable hooks before they are releases via
 nf_tables_flowtable_destroy() otherwise hook core reports UAF.

 BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666

 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
  dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106
  print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247
  __kasan_report mm/kasan/report.c:433 [inline]
  __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
  kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450
  nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
  __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429
  nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571
  nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232
  nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430
  nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]
  nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
  nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652
  nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652
  nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652

 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which
 only unregisters the hooks, then after RCU grace period, it is
 guaranteed that no packets add new entries to the flowtable (no flow
 offload rules and flowtable hooks are reachable from packet path), so it
 is safe to call nf_flow_table_free() which cleans up the remaining
 entries from the flowtable (both software and hardware) and it unbinds
 the flow_block.

 The Linux kernel CVE team has assigned CVE-2022-48935 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 4.19.316 with commit 88c795491bf45a8c08a0f94c9ca4f13722e51013
 	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.4.262 with commit b05a24cc453e3cd51b0c79e3c583b5d495eba1d6
 	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.10.198 with commit e51f30826bc5384801df98d76109c94953d1df64
 	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.15.26 with commit 8ffb8ac3448845f65634889b051bd65e4dee484b
 	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.16.12 with commit b4fcc081e527aa2ce12e956912fc47e251f6bd27
 	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.17 with commit 6069da443bf65f513bb507bb21e2f87cfb1ad0b6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48935
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/netfilter/nf_tables_api.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/88c795491bf45a8c08a0f94c9ca4f13722e51013
 	https://git.kernel.org/stable/c/b05a24cc453e3cd51b0c79e3c583b5d495eba1d6
 	https://git.kernel.org/stable/c/e51f30826bc5384801df98d76109c94953d1df64
 	https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b
 	https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27
 	https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48935: netfilter: nf_tables: unregister flowtable hooks on netns exit

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	netfilter: nf_tables: unregister flowtable hooks on netns exit

	Unregister flowtable hooks before they are releases via
	nf_tables_flowtable_destroy() otherwise hook core reports UAF.

	BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
	Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666

	CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0
	Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
	Call Trace:
	<TASK>
	__dump_stack lib/dump_stack.c:88 [inline]
	__dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
	dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106
	print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247
	__kasan_report mm/kasan/report.c:433 [inline]
	__kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
	kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450
	nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
	__nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429
	nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571
	nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232
	nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430
	nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]
	nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
	nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652
	nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652
	nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652

	__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which
	only unregisters the hooks, then after RCU grace period, it is
	guaranteed that no packets add new entries to the flowtable (no flow
	offload rules and flowtable hooks are reachable from packet path), so it
	is safe to call nf_flow_table_free() which cleans up the remaining
	entries from the flowtable (both software and hardware) and it unbinds
	the flow_block.

	The Linux kernel CVE team has assigned CVE-2022-48935 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 4.19.316 with commit 88c795491bf45a8c08a0f94c9ca4f13722e51013
	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.4.262 with commit b05a24cc453e3cd51b0c79e3c583b5d495eba1d6
	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.10.198 with commit e51f30826bc5384801df98d76109c94953d1df64
	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.15.26 with commit 8ffb8ac3448845f65634889b051bd65e4dee484b
	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.16.12 with commit b4fcc081e527aa2ce12e956912fc47e251f6bd27
	Issue introduced in 5.5 with commit ff4bf2f42a40e7dff28379f085b64df322c70b45 and fixed in 5.17 with commit 6069da443bf65f513bb507bb21e2f87cfb1ad0b6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48935
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/netfilter/nf_tables_api.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/88c795491bf45a8c08a0f94c9ca4f13722e51013
	https://git.kernel.org/stable/c/b05a24cc453e3cd51b0c79e3c583b5d495eba1d6
	https://git.kernel.org/stable/c/e51f30826bc5384801df98d76109c94953d1df64
	https://git.kernel.org/stable/c/8ffb8ac3448845f65634889b051bd65e4dee484b
	https://git.kernel.org/stable/c/b4fcc081e527aa2ce12e956912fc47e251f6bd27
	https://git.kernel.org/stable/c/6069da443bf65f513bb507bb21e2f87cfb1ad0b6