Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 22 Dec 2023 10:16:24 +0800
From: Xingyuan Mo <hdthky0@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-6817: Linux kernel: use-after-free in nf_tables

Hello,

I found a use-after-free vulnerability in the implementation of pipapo set
in Linux kernel nf_tables, which can lead to DoS or local privilege
escalation, with CAP_NET_ADMIN capability required. The bug is fixed in
v6.7-rc5 kernel and the patch is:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=317eb9685095678f2c9f5a8189de698c5354316a

=*=*=*=*=*=*=*=*=  Bug Details  =*=*=*=*=*=*=*=*=
According to the design of nf_tables, when calling NFT_MSG_DELSETELEM
command without a set element specified, all elements in the target set
will be deleted. During this process, nft_set_flush() is called, which
calls set->ops->walk() at (0).

static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask)
{
	struct nft_set_iter iter = {
		.genmask	= genmask,
		.fn		= nft_setelem_flush,
	};

	set->ops->walk(ctx, set, &iter);   <==== (0)
	if (!iter.err)
		iter.err = nft_set_catchall_flush(ctx, set);

	return iter.err;
}

If the backend is a pipapo set, nft_pipapo_walk() will be called. This
function does not check the activeness of an element before operating on
it, just like similar functions in other set backend such as
nft_rhash_walk(). Thus NFT_MSG_DELSETELEM command can be called
twice in one transaction to deleted every element in that set twice,
resulting in double free.

A POC is attached, which can be compiled with:
gcc -o poc poc.c -lnftnl -lmnl

I tested against v6.7-rc4 kernel and got a KASAN report as follows:
[  286.833955] ==================================================================
[  286.834580] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x43c/0x630
[  286.835253] Read of size 1 at addr ffff88800754ba88 by task kworker/0:0/8

[  286.835931] CPU: 0 PID: 8 Comm: kworker/0:0 Not tainted 6.7.0-rc4 #1
[  286.836440] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[  286.837167] Workqueue: events nf_tables_trans_destroy_work
[  286.837619] Call Trace:
[  286.837825]  <TASK>
[  286.838005]  dump_stack_lvl+0x3b/0x50
[  286.838316]  print_report+0xcf/0x620
[  286.838621]  ? __virt_addr_valid+0xf7/0x180
[  286.838974]  ? nf_tables_trans_destroy_work+0x43c/0x630
[  286.839397]  ? kasan_complete_mode_report_info+0x80/0x210
[  286.839839]  ? nf_tables_trans_destroy_work+0x43c/0x630
[  286.840269]  kasan_report+0xbd/0x100
[  286.840573]  ? nf_tables_trans_destroy_work+0x43c/0x630
[  286.841001]  __asan_load1+0x66/0x70
[  286.841297]  nf_tables_trans_destroy_work+0x43c/0x630
[  286.841719]  ? __pfx_nf_tables_trans_destroy_work+0x10/0x10
[  286.842175]  ? read_word_at_a_time+0x12/0x20
[  286.842528]  ? kick_pool+0x39/0x1a0
[  286.842829]  process_one_work+0x2e4/0x5c0
[  286.843167]  worker_thread+0x520/0x790
[  286.843491]  ? __pfx_worker_thread+0x10/0x10
[  286.843849]  kthread+0x16e/0x1b0
[  286.844119]  ? __pfx_kthread+0x10/0x10
[  286.844433]  ret_from_fork+0x3b/0x70
[  286.844750]  ? __pfx_kthread+0x10/0x10
[  286.845069]  ret_from_fork_asm+0x1b/0x30
[  286.845400]  </TASK>

[  286.845735] Allocated by task 279:
[  286.846028]  kasan_save_stack+0x2a/0x50
[  286.846352]  kasan_set_track+0x29/0x40
[  286.846669]  kasan_save_alloc_info+0x1f/0x30
[  286.847030]  __kasan_kmalloc+0x88/0xa0
[  286.847344]  __kmalloc+0x61/0x140
[  286.847630]  nft_set_elem_init+0x72/0x270
[  286.847971]  nft_add_set_elem+0xf7b/0x1bb0
[  286.848315]  nf_tables_newsetelem+0x3fb/0x4d0
[  286.848699]  nfnetlink_rcv_batch+0xcba/0xe90
[  286.849055]  nfnetlink_rcv+0x1df/0x220
[  286.849375]  netlink_unicast+0x3eb/0x540
[  286.849703]  netlink_sendmsg+0x44d/0x7d0
[  286.850039]  __sys_sendto+0x347/0x360
[  286.850353]  __x64_sys_sendto+0x7f/0xa0
[  286.850681]  do_syscall_64+0x46/0xf0
[  286.850980]  entry_SYSCALL_64_after_hwframe+0x6f/0x77

[  286.851546] Freed by task 8:
[  286.851795]  kasan_save_stack+0x2a/0x50
[  286.852121]  kasan_set_track+0x29/0x40
[  286.852447]  kasan_save_free_info+0x2f/0x50
[  286.852804]  __kasan_slab_free+0x113/0x1a0
[  286.853155]  __kmem_cache_free+0x82/0x1b0
[  286.853496]  kfree+0x78/0x120
[  286.853752]  nf_tables_trans_destroy_work+0x460/0x630
[  286.854177]  process_one_work+0x2e4/0x5c0
[  286.854513]  worker_thread+0x520/0x790
[  286.854840]  kthread+0x16e/0x1b0
[  286.855113]  ret_from_fork+0x3b/0x70
[  286.855424]  ret_from_fork_asm+0x1b/0x30

[  286.855890] Last potentially related work creation:
[  286.856296]  kasan_save_stack+0x2a/0x50
[  286.856630]  __kasan_record_aux_stack+0x92/0xa0
[  286.857028]  kasan_record_aux_stack_noalloc+0xf/0x20
[  286.857449]  kvfree_call_rcu+0x2c/0x470
[  286.857769]  kernfs_unlink_open_file+0x19c/0x1b0
[  286.858155]  kernfs_fop_release+0x6b/0x180
[  286.858500]  __fput+0x132/0x4e0
[  286.858765]  __fput_sync+0x35/0x40
[  286.859065]  __x64_sys_close+0x56/0xa0
[  286.859390]  do_syscall_64+0x46/0xf0
[  286.859695]  entry_SYSCALL_64_after_hwframe+0x6f/0x77

[  286.860259] The buggy address belongs to the object at ffff88800754ba80
                which belongs to the cache kmalloc-96 of size 96
[  286.861228] The buggy address is located 8 bytes inside of
                freed 96-byte region [ffff88800754ba80, ffff88800754bae0)

[  286.862296] The buggy address belongs to the physical page:
[  286.862745] page:00000000f0d84d4e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x754b
[  286.863468] anon flags: 0x100000000000800(slab|node=0|zone=1)
[  286.863929] page_type: 0xffffffff()
[  286.864219] raw: 0100000000000800 ffff888004c41780 ffffea00001bcb40 dead000000000005
[  286.864849] raw: 0000000000000000 0000000000200020 00000001ffffffff 0000000000000000
[  286.865451] page dumped because: kasan: bad access detected

[  286.866030] Memory state around the buggy address:
[  286.866412]  ffff88800754b980: 00 00 00 00 00 00 00 00 00 00 04 fc fc fc fc fc
[  286.866977]  ffff88800754ba00: 00 00 00 00 00 00 00 00 00 04 fc fc fc fc fc fc
[  286.867577] >ffff88800754ba80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  286.868185]                       ^
[  286.868489]  ffff88800754bb00: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  286.869089]  ffff88800754bb80: fa fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
[  286.869690] ==================================================================

=*=*=*=*=*=*=*=*=  Discoverer  =*=*=*=*=*=*=*=*=
Xingyuan Mo of IceSword Lab

Best,
Xingyuan Mo

View attachment "poc.c" of type "text/x-csrc" (7988 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.