Description: netfilter: nf_tables: validate registers coming from userspace.
References:
 https://www.openwall.com/lists/oss-security/2022/03/28/5
 http://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/
Notes:
 carnil> Exploitable starting from commit 345023b0db3 ("netfilter:
 carnil> nftables: add nft_parse_register_store() and use it") in
 carnil> 5.12-rc1 but bug present since commit 49499c3e6e18 ("netfilter:
 carnil>  nf_tables: switch registers to 32 bit addressing") in 4.1-rc1
 carnil> Fixed in 5.17.1 for 5.17.y and 5.16.18 for 5.16.y.
 bwh> If I understand this correctly, the issue is that nft_parse_register()
 bwh> could return a very large register number that would lead to integer
 bwh> overflow in the range check in nft_validate_register_{load,store}().
 bwh> This was not exploitable before commit 345023b0db3 because all in-tree
 bwh> callers truncated the return value of nft_parse_register() to 8 bits
 bwh> before passing it on to nft_validate_register_{load,store}().
 bwh> I also didn't find any out-of-tree modules using nft_parse_register()
 bwh> through codesearch.debian.net or GitHub.
Bugs:
upstream: released (5.18-rc1) [6e1acfa387b9ff82cfc7db8cc3b6959221a95851]
5.10-upstream-stable: N/A "Vulnerability introduced later"
4.19-upstream-stable: N/A "Vulnerability introduced later"
4.9-upstream-stable: N/A "Vulnerability introduced later"
sid: released (5.16.18-1)
5.10-bullseye-security: N/A "Vulnerability introduced later"
4.19-buster-security: N/A "Vulnerability introduced later"
4.9-stretch-security: N/A "Vulnerability introduced later"