CVE-2022-48643

syzbot is reporting underflow of nftcountersenabled counter at nftablesaddchain() [1], for commit 43eb8949cfdffa76 ("netfilter: nftables: do not leave chain stats enabled on error") missed that nftableschaindestroy() after nftbasechaininit() in the error path of nftablesaddchain() decrements the counter because nftbasechaininit() makes nftisbasechain() return true by setting NFTCHAIN_BASE flag.

Increment the counter immediately after returning from nftbasechaininit().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

c907dfe4eaca9665694a0340de1458a093abe354

Fixed

710e3f526bd23a0d33435dedc52c3144de284378

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

6d7ddee503951641f3ec6f0e3269446970bbcdab

Fixed

91aa52652f4b37089aff3cb53e83049d826fef6d

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

98a621ef45e3605c7487f7fa6fec7df94697d6a2

Fixed

8bcad2a931313aeba076b76922d5813ef97d0a91

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

43eb8949cfdffa764b92bc6c54b87cbe5b0003fe

Fixed

921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd

Affected versions

v5.*

v5.10.140

v5.10.141

v5.10.142

v5.10.143

v5.10.144

v5.10.145

v5.15.64

v5.15.65

v5.15.66

v5.15.67

v5.15.68

v5.15.69

v5.15.70

v5.19.10

v5.19.11

v5.19.6

v5.19.7

v5.19.8

v5.19.9

v6.*

v6.0-rc2

v6.0-rc3

v6.0-rc4

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c",
            "function": "nf_tables_addchain"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8bcad2a931313aeba076b76922d5813ef97d0a91",
        "digest": {
            "length": 2840.0,
            "function_hash": "184528273155423572132800824306780848573"
        },
        "id": "CVE-2022-48643-271c4068"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c",
            "function": "nf_tables_addchain"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91aa52652f4b37089aff3cb53e83049d826fef6d",
        "digest": {
            "length": 2753.0,
            "function_hash": "177335988516786599944357633026727254279"
        },
        "id": "CVE-2022-48643-2ab84b9b"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@710e3f526bd23a0d33435dedc52c3144de284378",
        "digest": {
            "line_hashes": [
                "170454929693053930988022809987417511407",
                "54966068085112535187809573335302404621",
                "165364300495492407894891100050121900274",
                "207250344611914079312989550002753048425",
                "187026060301485800238168545076652821246",
                "147555595102991314706299668285811688738",
                "168401148892892341821945999171038403035",
                "136257061738148774397836703243018610726",
                "121443924845365930011198963642849191692",
                "83364803426216058933372817634371891218",
                "89721032868964719101186283361763391026",
                "230112867165311960005194606808612363124",
                "184882004586650889790993871873843533464",
                "13173156564624860164736990278663853204",
                "228979086545045643637946473191201586804",
                "194224460158832008315875135074101172927",
                "160949346094702166678313039344494712156"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48643-52c7a9e9"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8bcad2a931313aeba076b76922d5813ef97d0a91",
        "digest": {
            "line_hashes": [
                "263508705780392362285064441453606618675",
                "54966068085112535187809573335302404621",
                "165364300495492407894891100050121900274",
                "207250344611914079312989550002753048425",
                "187026060301485800238168545076652821246",
                "147555595102991314706299668285811688738",
                "168401148892892341821945999171038403035",
                "136257061738148774397836703243018610726",
                "121443924845365930011198963642849191692",
                "83364803426216058933372817634371891218",
                "89721032868964719101186283361763391026",
                "230112867165311960005194606808612363124",
                "184882004586650889790993871873843533464",
                "13173156564624860164736990278663853204",
                "228979086545045643637946473191201586804",
                "194224460158832008315875135074101172927",
                "160949346094702166678313039344494712156"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48643-9449f0ef"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@91aa52652f4b37089aff3cb53e83049d826fef6d",
        "digest": {
            "line_hashes": [
                "263508705780392362285064441453606618675",
                "54966068085112535187809573335302404621",
                "165364300495492407894891100050121900274",
                "207250344611914079312989550002753048425",
                "187026060301485800238168545076652821246",
                "147555595102991314706299668285811688738",
                "168401148892892341821945999171038403035",
                "136257061738148774397836703243018610726",
                "121443924845365930011198963642849191692",
                "83364803426216058933372817634371891218",
                "89721032868964719101186283361763391026",
                "230112867165311960005194606808612363124",
                "184882004586650889790993871873843533464",
                "13173156564624860164736990278663853204",
                "228979086545045643637946473191201586804",
                "194224460158832008315875135074101172927",
                "160949346094702166678313039344494712156"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48643-9b5c59fd"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c",
            "function": "nf_tables_addchain"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@710e3f526bd23a0d33435dedc52c3144de284378",
        "digest": {
            "length": 2729.0,
            "function_hash": "282953513413631445234920873004355164299"
        },
        "id": "CVE-2022-48643-ac4f69db"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c",
            "function": "nf_tables_addchain"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd",
        "digest": {
            "length": 2840.0,
            "function_hash": "184528273155423572132800824306780848573"
        },
        "id": "CVE-2022-48643-e2ecd23a"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "target": {
            "file": "net/netfilter/nf_tables_api.c"
        },
        "signature_version": "v1",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@921ebde3c0d22c8cba74ce8eb3cc4626abff1ccd",
        "digest": {
            "line_hashes": [
                "263508705780392362285064441453606618675",
                "54966068085112535187809573335302404621",
                "165364300495492407894891100050121900274",
                "207250344611914079312989550002753048425",
                "187026060301485800238168545076652821246",
                "147555595102991314706299668285811688738",
                "168401148892892341821945999171038403035",
                "136257061738148774397836703243018610726",
                "121443924845365930011198963642849191692",
                "83364803426216058933372817634371891218",
                "89721032868964719101186283361763391026",
                "230112867165311960005194606808612363124",
                "184882004586650889790993871873843533464",
                "13173156564624860164736990278663853204",
                "228979086545045643637946473191201586804",
                "194224460158832008315875135074101172927",
                "160949346094702166678313039344494712156"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2022-48643-eb89e0b8"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.10.140

Fixed

5.10.146

Type: ECOSYSTEM
Events: Introduced

5.15.64

Fixed

5.15.71

Type: ECOSYSTEM
Events: Introduced

5.19.6

Fixed

5.19.12