netfilter: nf_tables: Fix potential data-race in __nft_obj_type_get()

gvrose8192 · gvrose8192 · commit 7a679a7de28d · 2024-11-08T13:19:39.000-08:00
jira VULN-4961 cve CVE-2024-27019 commit-author Ziyang Xuan <william.xuanziyang@huawei.com> commit d78d867 upstream-diff The cherry-pick tried to pull in extra cruft not part of the upstream patch. I have resolved the conflicts in favor of the 4.18.0-553.16.1 tagged code. nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process. Fixes: e500924 ("netfilter: nf_tables: add stateful objects") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit d78d867) Signed-off-by: Greg Rose <g.v.rose@ciq.com> Conflicts: net/netfilter/nf_tables_api.c
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -6137,7 +6137,7 @@ static const struct nft_object_type *__nft_obj_type_get(u32 objtype)
 {
 	const struct nft_object_type *type;
 
-	list_for_each_entry(type, &nf_tables_objects, list) {
+	list_for_each_entry_rcu(type, &nf_tables_objects, list) {
 		if (objtype == type->type)
 			return type;
 	}
@@ -6149,9 +6149,13 @@ nft_obj_type_get(struct net *net, u32 objtype)
 {
 	const struct nft_object_type *type;
 
+	rcu_read_lock();
 	type = __nft_obj_type_get(objtype);
-	if (type != NULL && try_module_get(type->owner))
+	if (type != NULL && try_module_get(type->owner)) {
+		rcu_read_unlock();
 		return type;
+	}
+	rcu_read_unlock();
 
 	lockdep_nfnl_nft_mutex_not_held();
 #ifdef CONFIG_MODULES
