From patchwork Sat Sep 16 00:48:15 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cengiz Can <cengiz.can@canonical.com>
X-Patchwork-Id: 1835307
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4RnXX40KBvz1yhR
	for <incoming@patchwork.ozlabs.org>; Sat, 16 Sep 2023 10:49:56 +1000 (AEST)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qhJVJ-0006jN-Aa; Sat, 16 Sep 2023 00:49:45 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <cengiz.can@canonical.com>)
 id 1qhJV3-0006XX-3U
 for kernel-team@lists.ubuntu.com; Sat, 16 Sep 2023 00:49:29 +0000
Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com
 [209.85.216.70])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 1F3573F665
 for <kernel-team@lists.ubuntu.com>; Sat, 16 Sep 2023 00:49:28 +0000 (UTC)
Received: by mail-pj1-f70.google.com with SMTP id
 98e67ed59e1d1-27497b4ba1fso1146931a91.0
 for <kernel-team@lists.ubuntu.com>; Fri, 15 Sep 2023 17:49:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1694825366; x=1695430166;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=O3AweP2rfuROzNlUUPl2vKBFqM6vuxF8hVU6EMlVuQI=;
 b=BhnhwRpzXlJvJjZXMvTQY0XZhpQkfj2ziwccjqLnFXroh29ruh+rUVoFtht0qcM3hT
 j6qPMvLsXMYIfKnbUaNqI9NorL0B/h99oioGYvUfairFwO1JEw3m8vwd5pMhqrPZyx0A
 rXhq+EH/e0oARUZ+ZW/T9+tjo1gx0oMOpujbHJljnLoTb10Z/Iv8MVr+pDSdfODmSALV
 DQwny5qSmQ+21+SlzfSbzry04vqgQpREi9P3kgmEXnw6ZAb4ikC22Dfw5QpsotrgP/wX
 HfjStvMmpR3764DFz8fo4xCVD1c/zhPz35W0zSw4otorkKM2H7dqmpOguEu8bgC3X22G
 Plgw==
X-Gm-Message-State: AOJu0YyvYelVeEpFHCQlwuP/I+8OdgaehcdW4wi3Fhr+xqXzLI6vzO8y
 MpqUZQzES3F+cBQqAp4eQk58Dd0RLowUpX5+6evriM5SyUW8QpF/zHWIsNX5sbPu9Q6z8DKkwg8
 tG+jdKjodJl4ayS2V8cEOrV4Ck/wra+wIcHLZypPn0pq/KH2F9aqz
X-Received: by 2002:a17:90a:9bc6:b0:274:638d:409e with SMTP id
 b6-20020a17090a9bc600b00274638d409emr2797359pjw.22.1694825366422;
 Fri, 15 Sep 2023 17:49:26 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IFc226FAP09P4tHwEz2npsZgelXt1J+VknWVuiVTMwdbZbwQIZZzUk46mz7NbBHe291YGbI6w==
X-Received: by 2002:a17:90a:9bc6:b0:274:638d:409e with SMTP id
 b6-20020a17090a9bc600b00274638d409emr2797354pjw.22.1694825366128;
 Fri, 15 Sep 2023 17:49:26 -0700 (PDT)
Received: from localhost (uk.sesame.canonical.com. [185.125.190.60])
 by smtp.gmail.com with ESMTPSA id
 g5-20020a17090adac500b002739282db53sm5375973pjx.32.2023.09.15.17.49.24
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 15 Sep 2023 17:49:25 -0700 (PDT)
From: Cengiz Can <cengiz.can@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU OEM-6.0] netfilter: nf_tables: perform type checking for
 existing sets
Date: Sat, 16 Sep 2023 03:48:15 +0300
Message-Id: <20230916004839.706452-6-cengiz.can@canonical.com>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20230916004839.706452-1-cengiz.can@canonical.com>
References: <20230916004839.706452-1-cengiz.can@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Pablo Neira Ayuso <pablo@netfilter.org>

If a ruleset declares a set name that matches an existing set in the
kernel, then validate that this declaration really refers to the same
set, otherwise bail out with EEXIST.

Currently, the kernel reports success when adding a set that already
exists in the kernel. This usually results in EINVAL errors at a later
stage, when the user adds elements to the set, if the set declaration
mismatches the existing set representation in the kernel.

Add a new function to check that the set declaration really refers to
the same existing set in the kernel.

Fixes: 96518518cc41 ("netfilter: add nftables")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit f6594c372afd5cec8b1e9ee9ea8f8819d59c6fb1)
CVE-2023-4244
[cengizcan: prerequisite commit]
Signed-off-by: Cengiz Can <cengiz.can@canonical.com>
---
 net/netfilter/nf_tables_api.c | 36 ++++++++++++++++++++++++++++++++++-
 1 file changed, 35 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 396bd59c0832..0a858ca7a7c4 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -4462,6 +4462,34 @@ static int nft_set_expr_alloc(struct nft_ctx *ctx, struct nft_set *set,
 	return err;
 }
 
+static bool nft_set_is_same(const struct nft_set *set,
+			    const struct nft_set_desc *desc,
+			    struct nft_expr *exprs[], u32 num_exprs, u32 flags)
+{
+	int i;
+
+	if (set->ktype != desc->ktype ||
+	    set->dtype != desc->dtype ||
+	    set->flags != flags ||
+	    set->klen != desc->klen ||
+	    set->dlen != desc->dlen ||
+	    set->field_count != desc->field_count ||
+	    set->num_exprs != num_exprs)
+		return false;
+
+	for (i = 0; i < desc->field_count; i++) {
+		if (set->field_len[i] != desc->field_len[i])
+			return false;
+	}
+
+	for (i = 0; i < num_exprs; i++) {
+		if (set->exprs[i]->ops != exprs[i]->ops)
+			return false;
+	}
+
+	return true;
+}
+
 static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
 			    const struct nlattr * const nla[])
 {
@@ -4616,10 +4644,16 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
 		if (err < 0)
 			return err;
 
+		err = 0;
+		if (!nft_set_is_same(set, &desc, exprs, num_exprs, flags)) {
+			NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]);
+			err = -EEXIST;
+		}
+
 		for (i = 0; i < num_exprs; i++)
 			nft_expr_destroy(&ctx, exprs[i]);
 
-		return 0;
+		return err;
 	}
 
 	if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))