From patchwork Tue Dec  5 20:51:12 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuxuan Luo <yuxuan.luo@canonical.com>
X-Patchwork-Id: 1872328
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SlCPk5Whdz23nQ
	for <incoming@patchwork.ozlabs.org>; Wed,  6 Dec 2023 07:51:37 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rAcO2-0003wn-DT; Tue, 05 Dec 2023 20:51:22 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yuxuan.luo@canonical.com>)
 id 1rAcNy-0003vn-Ns
 for kernel-team@lists.ubuntu.com; Tue, 05 Dec 2023 20:51:18 +0000
Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com
 [209.85.222.197])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 799273F19A
 for <kernel-team@lists.ubuntu.com>; Tue,  5 Dec 2023 20:51:18 +0000 (UTC)
Received: by mail-qk1-f197.google.com with SMTP id
 af79cd13be357-77d7a92f883so1004783085a.0
 for <kernel-team@lists.ubuntu.com>; Tue, 05 Dec 2023 12:51:18 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1701809476; x=1702414276;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=oOIu9Mk8p6LLWfW2f/y0w7GlSR8VGyTT+ZG7EP+9BQE=;
 b=HdJC2jS4ZlcHfF/NAH0vEea52uxJPNO2xzUJ5emUQcqre2LU9SVuPTmYrWnUltEaas
 w1b0B24MLD56VFrYl9ZhInRRjWcmUjmZ8pkBKr8C8CcMR4G/E1Jkn6hkstpN0WtjDLeD
 sAkbYLjPyVwA9eW5AWDGaHX6xBurv/4ZErclCowemmF+n8XZDMKbWYF8mvmgJl3DVtr4
 RwU4pnsJnuwoy/f8iAAuCYnoOogDMe/nmhyYCYnjuCfm8Fj57DsGdb2W7yHEFFYBRQby
 Qfz1mVIWa13HFqmwK+rOAX7LZrKF6KXkuByp1+6BxUfSrNZsL3ukKaJoL9XIesRFQX7t
 LE1Q==
X-Gm-Message-State: AOJu0YyTeQnF7CCn+CwTNKWnkaF1G9UD6uQpfvC1lduEvqCcKoVkYomN
 QO8wV4kDvQMwLYN4IGN3/f+C9VAYn+E7D1g0e27CZCTi64VC8kBLY60pGIyXojP1js/U4pbZ0gL
 +YWY8IZvxkr1KHBtQSuMkI2+ywcr/ZbSS7E8ONG6zCBa5yMO7Zw==
X-Received: by 2002:a05:620a:40d5:b0:77e:fba3:81e4 with SMTP id
 g21-20020a05620a40d500b0077efba381e4mr2015585qko.122.1701809476521;
 Tue, 05 Dec 2023 12:51:16 -0800 (PST)
X-Google-Smtp-Source: 
 AGHT+IH1m7m8Uk9lFzuj8Q+gVegF44Gul1x3KBN1ihUGI/IL/IyaMQcwGNg2n8zu6B+nATESIjZWMA==
X-Received: by 2002:a05:620a:40d5:b0:77e:fba3:81e4 with SMTP id
 g21-20020a05620a40d500b0077efba381e4mr2015579qko.122.1701809476256;
 Tue, 05 Dec 2023 12:51:16 -0800 (PST)
Received: from cache-ubuntu.hsd1.nj.comcast.net
 ([2001:67c:1562:8007::aac:4795]) by smtp.gmail.com with ESMTPSA id
 z21-20020ae9c115000000b0077d8ad77069sm5388694qki.26.2023.12.05.12.51.15
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Tue, 05 Dec 2023 12:51:15 -0800 (PST)
From: Yuxuan Luo <yuxuan.luo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][Jammy/Mantic][PATCH 1/1] netfilter: nf_tables: remove catchall
 element in GC sync path
Date: Tue,  5 Dec 2023 15:51:12 -0500
Message-Id: <20231205205112.37490-2-yuxuan.luo@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231205205112.37490-1-yuxuan.luo@canonical.com>
References: <20231205205112.37490-1-yuxuan.luo@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

The expired catchall element is not deactivated and removed from GC sync
path. This path holds mutex so just call nft_setelem_data_deactivate()
and nft_setelem_catchall_remove() before queueing the GC work.

Fixes: 4a9e12ea7e70 ("netfilter: nft_set_pipapo: call nft_trans_gc_queue_sync() in catchall GC")
Reported-by: lonial con <kongln9170@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(backported from commit 93995bf4af2c5a99e2a87f0cd5ce547d31eb7630)
[yuxuan.luo: the prerequisite commit 0e1ea651c971 ("netfilter:
 nf_tables: shrink memory consumption of set elements") can be ignored
 by keeping nft_set_elem struct type and substitute nft_elem_priv
 variables with old elem->priv.
]
CVE-2023-6111
Signed-off-by: Yuxuan Luo <yuxuan.luo@canonical.com>
---
 net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
 1 file changed, 17 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4760caf59e3f5..e6e9dfeef4933 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6198,6 +6198,12 @@ static int nft_setelem_deactivate(const struct net *net,
 	return ret;
 }
 
+static void nft_setelem_catchall_destroy(struct nft_set_elem_catchall *catchall)
+{
+	list_del_rcu(&catchall->list);
+	kfree_rcu(catchall, rcu);
+}
+
 static void nft_setelem_catchall_remove(const struct net *net,
 					const struct nft_set *set,
 					const struct nft_set_elem *elem)
@@ -6206,8 +6212,7 @@ static void nft_setelem_catchall_remove(const struct net *net,
 
 	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
 		if (catchall->elem == elem->priv) {
-			list_del_rcu(&catchall->list);
-			kfree_rcu(catchall, rcu);
+			nft_setelem_catchall_destroy(catchall);
 			break;
 		}
 	}
@@ -9268,11 +9273,12 @@ static struct nft_trans_gc *nft_trans_gc_catchall(struct nft_trans_gc *gc,
 						  unsigned int gc_seq,
 						  bool sync)
 {
-	struct nft_set_elem_catchall *catchall;
+	struct nft_set_elem_catchall *catchall, *next;
 	const struct nft_set *set = gc->set;
+	struct nft_set_elem *elem;
 	struct nft_set_ext *ext;
 
-	list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
+	list_for_each_entry_safe(catchall, next, &set->catchall_list, list) {
 		ext = nft_set_elem_ext(set, catchall->elem);
 
 		if (!nft_set_elem_expired(ext))
@@ -9290,7 +9296,13 @@ static struct nft_trans_gc *nft_trans_gc_catchall(struct nft_trans_gc *gc,
 		if (!gc)
 			return NULL;
 
-		nft_trans_gc_elem_add(gc, catchall->elem);
+		elem = catchall->elem;
+		if (sync) {
+			nft_setelem_data_deactivate(gc->net, gc->set, elem);
+			nft_setelem_catchall_destroy(catchall);
+		}
+
+		nft_trans_gc_elem_add(gc, elem->priv);
 	}
 
 	return gc;