CVE-2021-47106

In the Linux kernel, the following vulnerability has been resolved:

netfilter: nftables: fix use-after-free in nftsetcatchalldestroy()

We need to use listforeachentrysafe() iterator because we can not access @catchall after kfree_rcu() call.

syzbot reported:

BUG: KASAN: use-after-free in nftsetcatchalldestroy net/netfilter/nftablesapi.c:4486 [inline] BUG: KASAN: use-after-free in nftsetdestroy net/netfilter/nftablesapi.c:4504 [inline] BUG: KASAN: use-after-free in nftsetdestroy+0x3fd/0x4f0 net/netfilter/nftables_api.c:4493 Read of size 8 at addr ffff8880716e5b80 by task syz-executor.3/8871

CPU: 1 PID: 8871 Comm: syz-executor.3 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> _dumpstack lib/dumpstack.c:88 [inline] dumpstacklvl+0xcd/0x134 lib/dumpstack.c:106 printaddressdescription.constprop.0.cold+0x8d/0x2ed mm/kasan/report.c:247 _kasanreport mm/kasan/report.c:433 [inline] kasanreport.cold+0x83/0xdf mm/kasan/report.c:450 nftsetcatchalldestroy net/netfilter/nftablesapi.c:4486 [inline] nftsetdestroy net/netfilter/nftablesapi.c:4504 [inline] nftsetdestroy+0x3fd/0x4f0 net/netfilter/nftablesapi.c:4493 _nftreleasetable+0x79f/0xcd0 net/netfilter/nftablesapi.c:9626 nftrcvnlevent+0x4f8/0x670 net/netfilter/nftablesapi.c:9688 notifiercallchain+0xb5/0x200 kernel/notifier.c:83 blockingnotifiercallchain kernel/notifier.c:318 [inline] blockingnotifiercallchain+0x67/0x90 kernel/notifier.c:306 netlinkrelease+0xcb6/0x1dd0 net/netlink/afnetlink.c:788 _sockrelease+0xcd/0x280 net/socket.c:649 sockclose+0x18/0x20 net/socket.c:1314 _fput+0x286/0x9f0 fs/filetable.c:280 taskworkrun+0xdd/0x1a0 kernel/taskwork.c:164 tracehooknotifyresume include/linux/tracehook.h:189 [inline] exittousermodeloop kernel/entry/common.c:175 [inline] exittousermodeprepare+0x27e/0x290 kernel/entry/common.c:207 _syscallexittousermodework kernel/entry/common.c:289 [inline] syscallexittousermode+0x19/0x60 kernel/entry/common.c:300 dosyscall64+0x42/0xb0 arch/x86/entry/common.c:86 entrySYSCALL64afterhwframe+0x44/0xae RIP: 0033:0x7f75fbf28adb Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c 24 0c e8 63 fc ff ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 a1 fc ff ff 8b 44 RSP: 002b:00007ffd8da7ec10 EFLAGS: 00000293 ORIG_RAX: 0000000000000003 RAX: 0000000000000000 RBX: 0000000000000004 RCX: 00007f75fbf28adb RDX: 00007f75fc08e828 RSI: ffffffffffffffff RDI: 0000000000000003 RBP: 00007f75fc08a960 R08: 0000000000000000 R09: 00007f75fc08e830 R10: 00007ffd8da7ed10 R11: 0000000000000293 R12: 00000000002067c3 R13: 00007ffd8da7ed10 R14: 00007f75fc088f60 R15: 0000000000000032 </TASK>

Allocated by task 8886: kasansavestack+0x1e/0x50 mm/kasan/common.c:38 kasansettrack mm/kasan/common.c:46 [inline] setallocinfo mm/kasan/common.c:434 [inline] _kasankmalloc mm/kasan/common.c:513 [inline] kasankmalloc mm/kasan/common.c:472 [inline] _kasankmalloc+0xa6/0xd0 mm/kasan/common.c:522 kasankmalloc include/linux/kasan.h:269 [inline] kmemcachealloctrace+0x1ea/0x4a0 mm/slab.c:3575 kmalloc include/linux/slab.h:590 [inline] nftsetelemcatchallinsert net/netfilter/nftablesapi.c:5544 [inline] nftseteleminsert net/netfilter/nftablesapi.c:5562 [inline] nftaddsetelem+0x232e/0x2f40 net/netfilter/nftablesapi.c:5936 nftablesnewsetelem+0x6ff/0xbb0 net/netfilter/nftablesapi.c:6032 nfnetlinkrcvbatch+0x1710/0x25f0 net/netfilter/nfnetlink.c:513 nfnetlinkrcvskbbatch net/netfilter/nfnetlink.c:634 [inline] nfnetlinkrcv+0x3af/0x420 net/netfilter/nfnetlink.c:652 netlinkunicastkernel net/netlink/afnetlink.c:1319 [inline] netlinkunicast+0x533/0x7d0 net/netlink/afnetlink.c:1345 netlinksendmsg+0x904/0xdf0 net/netlink/afnetlink.c:1921 socksendmsgnosec net/ ---truncated---