[PATCH net 05/14] netfilter: x_tables: reject unsupported families in xt_check_match/xt_check_target

[Florian Westphal <fw@strlen.de>]

From: Weiming Shi <bestswngs@gmail.com>

xt_match and xt_target structs registered with NFPROTO_UNSPEC can be
loaded by any protocol family through nft_compat. When such a
match/target sets .hooks to restrict which hooks it may run on, the
bitmask uses NF_INET_* constants. This is only correct for families
whose hook layout matches NF_INET_*: IPv4, IPv6, INET, and bridge
all share the same five hooks (PRE_ROUTING ... POST_ROUTING).

ARP only has three hooks (IN=0, OUT=1, FORWARD=2) with different
semantics. Because NF_ARP_OUT == 1 == NF_INET_LOCAL_IN, the .hooks
validation silently passes for the wrong reasons, allowing matches to
run on ARP chains where the hook assumptions (e.g. state->in being
set on input hooks) do not hold. This leads to NULL pointer
dereferences; xt_devgroup is one concrete example:

 Oops: general protection fault, probably for non-canonical address 0xdffffc0000000044: 0000 [#1] SMP KASAN NOPTI
 KASAN: null-ptr-deref in range [0x0000000000000220-0x0000000000000227]
 RIP: 0010:devgroup_mt+0xff/0x350
 Call Trace:
  <TASK>
  nft_match_eval (net/netfilter/nft_compat.c:407)
  nft_do_chain (net/netfilter/nf_tables_core.c:285)
  nft_do_chain_arp (net/netfilter/nft_chain_filter.c:61)
  nf_hook_slow (net/netfilter/core.c:623)
  arp_xmit (net/ipv4/arp.c:666)
  </TASK>
 Kernel panic - not syncing: Fatal exception in interrupt

Add a helper xt_family_has_inet_hooks() and call it from both
xt_check_match() and xt_check_target(): when a UNSPEC match/target
declares .hooks, reject families whose hook numbering differs from
the NF_INET_* scheme.

Also add .hooks to xt_devgroup so the framework-level check covers it;
previously it relied on manual hook validation in checkentry using
NF_INET_* constants, which suffers from the same collision.

Fixes: 9291747f118d ("netfilter: xtables: add device group match")
Reported-by: Xiang Mei <xmei5@asu.edu>
Signed-off-by: Weiming Shi <bestswngs@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/x_tables.c    | 36 ++++++++++++++++++++++++++++++++++++
 net/netfilter/xt_devgroup.c |  5 +++++
 2 files changed, 41 insertions(+)

diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e594b3b7ad82..a600592d0bff 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -477,6 +477,28 @@ int xt_check_proc_name(const char *name, unsigned int size)
 }
 EXPORT_SYMBOL(xt_check_proc_name);
 
+/*
+ * Families whose hook numbering follows the NF_INET_* scheme.
+ * ARP hooks (IN=0, OUT=1, FORWARD=2) use different semantics and
+ * collide numerically with NF_INET_* values, so UNSPEC matches/targets
+ * that declare .hooks must not run on ARP (or any other family whose
+ * hooks do not follow the INET layout).
+ */
+static bool xt_family_has_inet_hooks(u_int8_t family)
+{
+	switch (family) {
+	case NFPROTO_IPV4:
+	case NFPROTO_IPV6:
+	case NFPROTO_BRIDGE:
+		return true;
+	case NFPROTO_INET:
+		/* nftables only */
+		return false;
+	default:
+		return false;
+	}
+}
+
 int xt_check_match(struct xt_mtchk_param *par,
 		   unsigned int size, u16 proto, bool inv_proto)
 {
@@ -501,6 +523,13 @@ int xt_check_match(struct xt_mtchk_param *par,
 				    par->match->table, par->table);
 		return -EINVAL;
 	}
+	if (par->match->family == NFPROTO_UNSPEC &&
+	    par->match->hooks &&
+	    !xt_family_has_inet_hooks(par->family)) {
+		pr_info_ratelimited("%s_tables: %s match: not valid for this family\n",
+				    xt_prefix[par->family], par->match->name);
+		return -EINVAL;
+	}
 	if (par->match->hooks && (par->hook_mask & ~par->match->hooks) != 0) {
 		char used[64], allow[64];
 
@@ -1016,6 +1045,13 @@ int xt_check_target(struct xt_tgchk_param *par,
 				    par->target->table, par->table);
 		return -EINVAL;
 	}
+	if (par->target->family == NFPROTO_UNSPEC &&
+	    par->target->hooks &&
+	    !xt_family_has_inet_hooks(par->family)) {
+		pr_info_ratelimited("%s_tables: %s target: not valid for this family\n",
+				    xt_prefix[par->family], par->target->name);
+		return -EINVAL;
+	}
 	if (par->target->hooks && (par->hook_mask & ~par->target->hooks) != 0) {
 		char used[64], allow[64];
 
diff --git a/net/netfilter/xt_devgroup.c b/net/netfilter/xt_devgroup.c
index 9520dd00070b..8246bcfd2094 100644
--- a/net/netfilter/xt_devgroup.c
+++ b/net/netfilter/xt_devgroup.c
@@ -62,6 +62,11 @@ static struct xt_match devgroup_mt_reg __read_mostly = {
 	.checkentry	= devgroup_mt_checkentry,
 	.matchsize	= sizeof(struct xt_devgroup_info),
 	.family		= NFPROTO_UNSPEC,
+	.hooks		= (1 << NF_INET_PRE_ROUTING) |
+			  (1 << NF_INET_LOCAL_IN) |
+			  (1 << NF_INET_FORWARD) |
+			  (1 << NF_INET_LOCAL_OUT) |
+			  (1 << NF_INET_POST_ROUTING),
 	.me		= THIS_MODULE
 };
 
-- 
2.52.0