From patchwork Thu Feb 23 23:00:40 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1747208
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=91.189.94.19; helo=huckleberry.canonical.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=canonical.com header.i=@canonical.com
 header.a=rsa-sha256 header.s=20210705 header.b=SdndLY8i;
	dkim-atps=neutral
Received: from huckleberry.canonical.com (huckleberry.canonical.com
 [91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4PN7mR1Mykz240f
	for <incoming@patchwork.ozlabs.org>; Fri, 24 Feb 2023 10:00:55 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1pVKa0-00054B-CB; Thu, 23 Feb 2023 23:00:48 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by huckleberry.canonical.com with esmtps
 (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2)
 (envelope-from <yuxuan.luo@canonical.com>) id 1pVKZy-00053x-7q
 for kernel-team@lists.ubuntu.com; Thu, 23 Feb 2023 23:00:46 +0000
Received: from mail-qv1-f72.google.com (mail-qv1-f72.google.com
 [209.85.219.72])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 8317C3F4A6
 for <kernel-team@lists.ubuntu.com>; Thu, 23 Feb 2023 23:00:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;
 s=20210705; t=1677193245;
 bh=C1BFbE0xyVullKuk2jBapN1j7z6HXRBcOQA208ePoIE=;
 h=From:To:Subject:Date:Message-Id:In-Reply-To:References:
 MIME-Version;
 b=SdndLY8iTZa/S+JsV1QZpBX6GMOjQnHrFiQnDSvIWTdV3Fv3BZbWHPy22Z86pmPqK
 wNtBhgSewgrYbPPF3P39eJ7uM/46VTlu9fryIWT3IJ+HD04GhPVFto5NWey+MTMoN+
 i89mFXxQjFDrccMEYqyMDA2E0wHQGqRMH6mlbMKLbdBa9A+7dmLKpj0TY9Wmgac37n
 8VkShx5pGwv+ocSI+LZs1TzTJ7QOxRcTUgQgD4TNveimxaBZZno8gOtROz3MJoST1H
 SH6abPrPovlvNcMCwTpQH3w7psTIXkXRRqyWWw6PRjVoH4EjrbxrvT22ZM9ZC3HdeP
 1ijg7Bysszs7Q==
Received: by mail-qv1-f72.google.com with SMTP id
 px25-20020a056214051900b0056f0794632bso6899888qvb.18
 for <kernel-team@lists.ubuntu.com>; Thu, 23 Feb 2023 15:00:45 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=C1BFbE0xyVullKuk2jBapN1j7z6HXRBcOQA208ePoIE=;
 b=YpxO13nj8MmwbpZj78T6nFszjAbQiHAoqSnUHwGkh96SI6mkhgc0TvXSGq2tBWGKBF
 jIRYwM0sJhnSUKmIyqqVDD1QuX8nk4DfOMAoAT963EGX10ADDKtrXY9rDTqoCRKwT7za
 vvB+FND7ryXxfZ/HJMSV+rZ/4SP7uG0TpCt1ZBMOPUAT9AcOa6T4qpwh6/M9nrcsz0NE
 hdR0nY0MiEq4cWQOugoWRgB4GPr8vIX5hAgyQg3e/hBL0LpJIjjUYYy6EfCnWl4+HfKg
 Q0T82mLoEKwFgmAZn06xYMhMdwVNcl5jMTWIib9jozJ0k/U1SOfwhzEE/KteBF8OWOHg
 dLXQ==
X-Gm-Message-State: AO0yUKVEiH527xeNWkFsCbezVA1eimU7xLGOcFFH1TfMAEPc3L2EmjY2
 2tq6Y3/zM7T6lPYc8R/DUJ1hS0UDDYIxZU0RhIGh4ROMc4o1Xu4leHpTxysxe1OAxAsYKMh6mzr
 I+pSOAdoy91OVRWwpmHHydPIAeK0tAJ9oThdm3AOv+BOD45M=
X-Received: by 2002:ac8:5f4f:0:b0:3b9:b4b5:4b7a with SMTP id
 y15-20020ac85f4f000000b003b9b4b54b7amr12711532qta.11.1677193244137;
 Thu, 23 Feb 2023 15:00:44 -0800 (PST)
X-Google-Smtp-Source: 
 AK7set88rRrAEzheNqIK+RRKQryBnXwOxZSXSb/D4BXC1aa4CB69D1soOeBPoEHC1eqAupQhppKiyA==
X-Received: by 2002:ac8:5f4f:0:b0:3b9:b4b5:4b7a with SMTP id
 y15-20020ac85f4f000000b003b9b4b54b7amr12711503qta.11.1677193243884;
 Thu, 23 Feb 2023 15:00:43 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2601:86:200:98b0:ad8b:66f:549a:c082])
 by smtp.gmail.com with ESMTPSA id
 f2-20020ac81342000000b003b9b4028d63sm6993490qtj.80.2023.02.23.15.00.43
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 23 Feb 2023 15:00:43 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Xenial][PATCH 1/1] netfilter: nf_tables: initialize registers
 in nft_do_chain()
Date: Thu, 23 Feb 2023 18:00:40 -0500
Message-Id: <20230223230040.50880-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20230223230040.50880-1-yuxuan.luo@canonical.com>
References: <20230223230040.50880-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

Initialize registers to avoid stack leak into userspace.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 4c905f6740a365464e91467aa50916555b28213d)
CVE-2022-1016
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/netfilter/nf_tables_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 204be93746578..00635ce1a3a25 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -115,7 +115,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
 	const struct net *net = pkt->net;
 	const struct nft_rule *rule;
 	const struct nft_expr *expr, *last;
-	struct nft_regs regs;
+	struct nft_regs regs = {};
 	unsigned int stackptr = 0;
 	struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
 	struct nft_stats *stats;