Skip to content

[LTS 8.6] netfilter: nf_tables: Reject tables of unsupported family #438

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: ciqlts8_6
Choose a base branch
from
Open

[LTS 8.6] netfilter: nf_tables: Reject tables of unsupported family #438

wants to merge 1 commit into from

Conversation

pvts-mat
Copy link
Contributor

[LTS 8.6]
CVE-2023-6040
VULN-8162

Problem

https://www.openwall.com/lists/oss-security/2024/01/12/1

An out-of-bounds access vulnerability involving netfilter was reported
and fixed as:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f1082dd31fe461d482d69da2a8eccfeb7bf07ac2

While creating a new netfilter table, lack of a safeguard against
invalid nf_tables family (pf) values within `nf_tables_newtable`
function enables an attacker to achieve out-of-bounds access.

This out-of-bounds access can occur in two locations:

  1. `xt_find_target` function in `x_tables.c` can dereference the `xt`
    array without a boundary check. This allows an attacker to fake an
    `xt_af` data and achieve further ends.

  2. `nf_logger_find_get` function in `nf_log.c` uses `pf` as an index on
    `loggers` global which consists of `struct nf_logger` members. An
    attacker can find a suitable global data to fake as `struct nf_logger`
    and use the invalid `pf` to dereference adjacent global data.

Disabling unprivileged user namespaces mitigates the issue.

This issue was reported to Ubuntu Security directly by Lin Ma from Ant
Security Light-Year Lab and has been assigned CVE-2023-6040.

It affects upstream stable 5.4.y, 5.10.y, 5.15.y. Those require the fix
to be applied. Any upstream kernel newer than 5.18-rc1 should be safe.

Applicability: yes

nf_tables are enabled in LTS 8.6:

$ grep 'CONFIG_NF_TABLES\b' configs/*.config

configs/kernel-aarch64-debug.config:CONFIG_NF_TABLES=m
configs/kernel-aarch64.config:CONFIG_NF_TABLES=m
configs/kernel-ppc64le-debug.config:CONFIG_NF_TABLES=m
configs/kernel-ppc64le.config:CONFIG_NF_TABLES=m
configs/kernel-s390x-debug.config:CONFIG_NF_TABLES=m
configs/kernel-s390x-zfcpdump.config:CONFIG_NF_TABLES=m
configs/kernel-s390x.config:CONFIG_NF_TABLES=m
configs/kernel-x86_64-debug.config:CONFIG_NF_TABLES=m
configs/kernel-x86_64.config:CONFIG_NF_TABLES=m

The fixing commit f1082dd is not present in the affected file's net/netfilter/nf_tables_api.c history for ciqlts8_6, nor was it backported.

The bug can't be blamed on a single commit - there is no "fixes" commit indicated in f1082dd to check whether it exists in ciqlts8_6 history or not. However, without replicating Ant Security Lab's analysis it can be reasonably assumed that the bug is present in LTS 8.6 based on the following arguments:

  1. The fix was backported onto Linux 4.19 stable in 087d38a, suggesting that the close ciqlts8_6 kernel 4.18 is vulnerable.
  2. The xt_find_target function exists in net/netfilter/x_tables.c and it does dereference the xt array a couple of times without boundary checking:

    kernel-src-tree/net/netfilter/x_tables.c

    Line 238 in a5f217e

    mutex_lock(&xt[af].mutex);

    kernel-src-tree/net/netfilter/x_tables.c

    Line 239 in a5f217e

    list_for_each_entry(t, &xt[af].target, list) {

    kernel-src-tree/net/netfilter/x_tables.c

    Line 243 in a5f217e

    mutex_unlock(&xt[af].mutex);

    kernel-src-tree/net/netfilter/x_tables.c

    Line 250 in a5f217e

    mutex_unlock(&xt[af].mutex);
  3. The nf_logger_find_get function exists in net/netfilter/nf_log.c and the global loggers variable is dereferenced with pf

    kernel-src-tree/net/netfilter/nf_log.c

    Line 173 in a5f217e

    logger = rcu_dereference(loggers[pf][type]);

Solution

Naively cherry-picking the f1082dd commit leads to many conflicts but they aren't indicative of any semantic mismatches between the patch and net/netfilter/nf_tables_api.c file under ciqlts8_6 revision. The changes were applied manually as they appear in the diff.

kABI check: passed

DEBUG=1 CVE=CVE-2023-6040 ./ninja.sh _kabi_checked__x86_64--test--ciqlts8_6-CVE-2023-6040

[0/1] Check ABI of kernel [ciqlts8_6-CVE-2023-6040]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-8.6/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts8_6/build_files/kernel-src-tree-ciqlts8_6-CVE-2023-6040/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts8_6-CVE-2023-6040/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Coverage

The patch is contained within the netfilter subsystem which has its dedicated test suite - all the netfilter:* tests were picked for testing.

Reference

kselftests–ciqlts8_6–run1.log
kselftests–ciqlts8_6–run2.log
kselftests–ciqlts8_6–run3.log
kselftests–ciqlts8_6–run4.log

Patch

kselftests–ciqlts8_6-CVE-2023-6040–run1.log
kselftests–ciqlts8_6-CVE-2023-6040–run2.log
kselftests–ciqlts8_6-CVE-2023-6040–run3.log

Comparison

The reference and patch tests results are the same

ktests.xsh diff kselftests*.log

Column    File
--------  ---------------------------------------------
Status0   kselftests--ciqlts8_6--run1.log
Status1   kselftests--ciqlts8_6--run2.log
Status2   kselftests--ciqlts8_6--run3.log
Status3   kselftests--ciqlts8_6--run4.log
Status4   kselftests--ciqlts8_6-CVE-2023-6040--run1.log
Status5   kselftests--ciqlts8_6-CVE-2023-6040--run2.log
Status6   kselftests--ciqlts8_6-CVE-2023-6040--run3.log

TestCase                              Status0  Status1  Status2  Status3  Status4  Status5  Status6  Summary
netfilter:conntrack_icmp_related.sh   pass     pass     pass     pass     pass     pass     pass     same
netfilter:conntrack_tcp_unreplied.sh  fail     fail     fail     fail     fail     fail     fail     same
netfilter:ipvs.sh                     skip     skip     skip     skip     skip     skip     skip     same
netfilter:nft_flowtable.sh            fail     fail     fail     fail     fail     fail     fail     same
netfilter:nft_meta.sh                 pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_nat.sh                  pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_queue.sh                pass     pass     pass     pass     pass     pass     pass     same
netfilter:nft_trans_stress.sh         pass     pass     pass     pass     pass     pass     pass     same

Specific tests: skipped

@pvts-mat
netfilter: nf_tables: Reject tables of unsupported family
b660c08 
jira VULN-8162
cve CVE-2023-6040
commit-author Phil Sutter <[email protected]>
commit f1082dd

An nftables family is merely a hollow container, its family just a
number and such not reliant on compile-time options other than nftables
support itself. Add an artificial check so attempts at using a family
the kernel can't support fail as early as possible. This helps user
space detect kernels which lack e.g. NFPROTO_INET.

	Signed-off-by: Phil Sutter <[email protected]>
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit f1082dd)
	Signed-off-by: Marcin Wcisło <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@pvts-mat