ACK: [SRU Jammy 1/1] netfilter: nf_tables: validate registers coming from userspace.

Kleber Souza kleber.souza at canonical.com
Wed Apr 13 14:40:13 UTC 2022 

On 07.04.22 16:17, Thadeu Lima de Souza Cascardo wrote:
> From: Pablo Neira Ayuso <pablo at netfilter.org>
> 
> Bail out in case userspace uses unsupported registers.
> 
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851)
> CVE-2022-1015
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>

Thanks

> ---
>   net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
>   1 file changed, 17 insertions(+), 5 deletions(-)
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index 2b2e0210a7f9..3e7f97a70721 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -9208,17 +9208,23 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
>   }
>   EXPORT_SYMBOL_GPL(nft_parse_u32_check);
>   
> -static unsigned int nft_parse_register(const struct nlattr *attr)
> +static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg)
>   {
>   	unsigned int reg;
>   
>   	reg = ntohl(nla_get_be32(attr));
>   	switch (reg) {
>   	case NFT_REG_VERDICT...NFT_REG_4:
> -		return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
> +		*preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
> +		break;
> +	case NFT_REG32_00...NFT_REG32_15:
> +		*preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
> +		break;
>   	default:
> -		return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
> +		return -ERANGE;
>   	}
> +
> +	return 0;
>   }
>   
>   /**
> @@ -9260,7 +9266,10 @@ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
>   	u32 reg;
>   	int err;
>   
> -	reg = nft_parse_register(attr);
> +	err = nft_parse_register(attr, &reg);
> +	if (err < 0)
> +		return err;
> +
>   	err = nft_validate_register_load(reg, len);
>   	if (err < 0)
>   		return err;
> @@ -9315,7 +9324,10 @@ int nft_parse_register_store(const struct nft_ctx *ctx,
>   	int err;
>   	u32 reg;
>   
> -	reg = nft_parse_register(attr);
> +	err = nft_parse_register(attr, &reg);
> +	if (err < 0)
> +		return err;
> +
>   	err = nft_validate_register_store(ctx, reg, data, type, len);
>   	if (err < 0)
>   		return err;

More information about the kernel-team mailing list