netfilter: nf_tables: do not allow RULE_ID to refer to another chain (b8db4a27) · Commits · Summer2022 / 22b970497

Commit b8db4a27 authored 2 years ago by

Thadeu Lima de Souza Cascardo Committed by Yongqiang Liu 2 years ago

netfilter: nf_tables: do not allow RULE_ID to refer to another chain

mainline inclusion
from mainline-v6.0-rc1
commit 36d5b2913219ac853908b0f1c664345e04313856
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I5MEZD


CVE: CVE-2022-2586

--------------------------------

When doing lookups for rules on the same batch by using its ID, a rule from
a different chain can be used. If a rule is added to a chain but tries to
be positioned next to a rule from a different chain, it will be linked to
chain2, but the use counter on chain1 would be the one to be incremented.

When looking for rules by ID, use the chain that was used for the lookup by
name. The chain used in the context copied to the transaction needs to
match that same chain. That way, struct nft_rule does not need to get
enlarged with another member.

Fixes: 1a94e38d ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
Fixes: 75dd48e2 ("netfilter: nf_tables: Support RULE_ID reference in new rule")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

conflict:
	net/netfilter/nf_tables_api.c

Signed-off-by: Lu Wei <luwei32@huawei.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Reviewed-by: Wang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

parent a97e4220

No related branches found

No related tags found

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 3 additions and 1 deletion

Please register or to comment