kernel / kernel-source

Clone
Source Code
GIT

Blame patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   ad63314e05f842dbce85eb39bb8e91d551edf871
  2.   patches.suse
  3.   netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch
Blob History Raw
Miroslav Franc c9a1a1 
From: Florian Westphal <fw@strlen.de>
Miroslav Franc c9a1a1 
Date: Tue, 9 Aug 2022 18:34:02 +0200
Miroslav Franc c9a1a1 
Subject: netfilter: nf_tables: fix null deref due to zeroed list head
Miroslav Franc c9a1a1 
Git-commit: 580077855a40741cf511766129702d97ff02f4d9
Miroslav Franc c9a1a1 
Patch-mainline: v6.0-rc1
Miroslav Franc c9a1a1 
References: CVE-2023-1095 bsc#1208777
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
In nf_tables_updtable, if nf_tables_table_enable returns an error,
Miroslav Franc c9a1a1 
nft_trans_destroy is called to free the transaction object.
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
nft_trans_destroy() calls list_del(), but the transaction was never
Miroslav Franc c9a1a1 
placed on a list -- the list head is all zeroes, this results in
Miroslav Franc c9a1a1 
a null dereference:
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59
Miroslav Franc c9a1a1 
Call Trace:
Miroslav Franc c9a1a1 
 nft_trans_destroy+0x26/0x59
Miroslav Franc c9a1a1 
 nf_tables_newtable+0x4bc/0x9bc
Miroslav Franc c9a1a1 
 [..]
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
Its sane to assume that nft_trans_destroy() can be called
Miroslav Franc c9a1a1 
on the transaction object returned by nft_trans_alloc(), so
Miroslav Franc c9a1a1 
make sure the list head is initialised.
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table")
Miroslav Franc c9a1a1 
Reported-by: mingi cho <mgcho.minic@gmail.com>
Miroslav Franc c9a1a1 
Signed-off-by: Florian Westphal <fw@strlen.de>
Miroslav Franc c9a1a1 
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Miroslav Franc c9a1a1 
Acked-by: Miroslav Franc <mfranc@suse.cz>
Miroslav Franc c9a1a1 
---
Miroslav Franc c9a1a1 
 net/netfilter/nf_tables_api.c | 1 +
Miroslav Franc c9a1a1 
 1 file changed, 1 insertion(+)
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
Miroslav Franc c9a1a1 
index 460b0925ea60..3cc88998b879 100644
Miroslav Franc c9a1a1 
--- a/net/netfilter/nf_tables_api.c
Miroslav Franc c9a1a1 
+++ b/net/netfilter/nf_tables_api.c
Miroslav Franc c9a1a1 
@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
Miroslav Franc c9a1a1 
 	if (trans == NULL)
Miroslav Franc c9a1a1 
 		return NULL;
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1 
+	INIT_LIST_HEAD(&trans->list);
Miroslav Franc c9a1a1 
 	trans->msg_type = msg_type;
Miroslav Franc c9a1a1 
 	trans->ctx	= *ctx;
Miroslav Franc c9a1a1
Miroslav Franc c9a1a1
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.