netfilter: nf_tables: do not allow to reference objects in foreign tables (!1252) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Florian Westphal requested to merge fwestpha/centos-stream-9-fw:bz2116355 into main Aug 10, 2022

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2116355 Upstream Status: All mainline in net.git Tested: upstream nftables selftests CVE: CVE-2022-2586 Conflicts: none

nf_tables uses a transaction model: userspace generates a list of changes (new rule, new rule, remove rule, ...) ended by a "commit" message that will make the changes go live.

Some elements can be referenced by a "id number", but there is no guarantee that the ID is only used by elements in the same logical table.

This allowed e.g. a rule in table x to reference a set from table y. Then, when table y is removed, UAF occurs.

Cross-table references are not allowed; lookups by ID must skip entries that reside in a different table.

Signed-off-by: Florian Westphal fwestpha@redhat.com

Edited Aug 10, 2022 by Florian Westphal

Admin message

netfilter: nf_tables: do not allow to reference objects in foreign tables

Merge request reports