netfilter: nf_tables: discard table flag update with pending basechain deletion

jira VULN-5118
cve CVE-2024-35897
commit-author Pablo Neira Ayuso <[email protected]>
commit 1bc83a0

Hook unregistration is deferred to the commit phase, same occurs with
hook updates triggered by the table dormant flag. When both commands are
combined, this results in deleting a basechain while leaving its hook
still registered in the core.

Fixes: 179d9ba ("netfilter: nf_tables: fix table flag updates")
	Signed-off-by: Pablo Neira Ayuso <[email protected]>
(cherry picked from commit 1bc83a0)
	Signed-off-by: Greg Rose <[email protected]>

Author: gvrose8192

net/netfilter/nf_tables_api.c

@@ -963,10 +963,11 @@ static bool nft_table_pending_update(const struct nft_ctx *ctx)
 		return true;
 
 	list_for_each_entry(trans, &nft_net->commit_list, list) {
-		if ((trans->msg_type == NFT_MSG_NEWCHAIN ||
-		     trans->msg_type == NFT_MSG_DELCHAIN) &&
-		    trans->ctx.table == ctx->table &&
-		    nft_trans_chain_update(trans))
+		if (trans->ctx.table == ctx->table &&
+		    ((trans->msg_type == NFT_MSG_NEWCHAIN &&
+		      nft_trans_chain_update(trans)) ||
+		     (trans->msg_type == NFT_MSG_DELCHAIN &&
+		      nft_is_base_chain(trans->ctx.chain))))
 			return true;
 	}