Linux 本地提权漏洞(CVE-2023-31248)

nft_chain can be looked up by name, handle or ID. Let's go through the functions that do the job.

Lookup by name:

static struct nft_chain nft_chain_lookup(struct net net, struct nft_table table, const struct nlattr nla, u8 genmask) { char search[NFT_CHAIN_MAXNAMELEN + 1]; struct rhlist_head tmp, list; struct nft_chain *chain;

if (nla == NULL)
    return ERR_PTR(-EINVAL);

nla_strscpy(search, nla, sizeof(search));

WARN_ON(!rcu_read_lock_held() &&
    !lockdep_commit_lock_is_held(net));

chain = ERR_PTR(-ENOENT);
rcu_read_lock();
list = rhltable_lookup(&table->chains_ht, search, nft_chain_ht_params);
if (!list)
    goto out_unlock;

rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
    if (nft_active_genmask(chain, genmask))
        goto out_unlock;
}
chain = ERR_PTR(-ENOENT);

out_unlock: rcu_read_unlock(); return chain; } Lookup by handle:

static struct nft_chain nft_chain_lookup_byhandle(const struct nft_table table, u64 handle, u8 genmask) { struct nft_chain *chain;

list_for_each_entry(chain, &table->chains, list) {
    if (chain->handle == handle &&
        nft_active_genmask(chain, genmask))
        return chain;
}

return ERR_PTR(-ENOENT);

} Lookup by ID:

static struct nft_chain nft_chain_lookup_byid(const struct net net, const struct nft_table table, const struct nlattr nla) { struct nftables_pernet nft_net = nft_pernet(net); u32 id = ntohl(nla_get_be32(nla)); struct nft_trans trans;

list_for_each_entry(trans, &nft_net->commit_list, list) {
    struct nft_chain *chain = trans->ctx.chain;

    if (trans->msg_type == NFT_MSG_NEWCHAIN &&
        chain->table == table &&
        id == nft_trans_chain_id(trans))
        return chain;
}
return ERR_PTR(-ENOENT);

} In both nft_chain_lookup and nft_chain_lookup_byhandle, they check if the chain is active by calling nft_active_genmask. A chain will be deactivated if the user send a DELETE message for that chain. This check ensures that another object will not be able to refer to a deactivated chain. However in nft_chain_lookup_byid, the check will not be conducted. That means we can refer to a deactivated chain. But at cleanup stage, if chain->use is not 0, a warning will be issued and the chain won't be freed. We must find a way to make a reference to a deactivated chain while still satisfy the condition to free it.

Netfilter transaction will not free the deleted objects when commiting. Instead, Netfilter will run a deferred task to delete it later. Therefore, we can achieve Use-After-Free condition like this:

Batch 1:

• Create table
• Create chain victim
• Mark chain victim as deleted
• Create chain attack

• Create rule belong to attack chain, with a nft_immediate expression refer to victim by ID => victim->use == 1

• Commit the batch => Cleanup task will be queued

Batch 2:

• Mark the rule we created in the previous batch as deleted => victim->use == 0
• Wait for the cleanup task to complete => victim will be freed
• Fail the batch using some invalid input => the rule will not be marked as deleted anymore

The nft_immediate expression in the rule still refer to the freed chain. We have achieved Use-After-Free condition. From here we can spray fake chain object to leak (using nft_immediate dump function) or to execute code (need to create fake rule and fake expression as well to call expression ops). This primitive can be used multiple times reliably.