* [PATCH -stable,5.10 0/3] stable fixes for 5.10
@ 2023-06-26 11:05 Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 1/3] netfilter: nftables: statify nft_parse_register() Pablo Neira Ayuso
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-06-26 11:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: stable, carnil
Hi Greg, Sasha,
The following batch contains Netfilter fixes for 5.10.
Patches 1 and 2 you can manually cherry-pick them:
1) 08a01c11a5bb ("netfilter: nftables: statify nft_parse_register()")
2) 98494660a286 ("netfilter: nf_tables: validate registers coming from userspace.")
Patch 3 is a backport:
3) 99e73e80d3df ("netfilter: nf_tables: hold mutex on netns pre_exit path")
Thanks.
Pablo Neira Ayuso (3):
netfilter: nftables: statify nft_parse_register()
netfilter: nf_tables: validate registers coming from userspace.
netfilter: nf_tables: hold mutex on netns pre_exit path
include/net/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c | 34 +++++++++++++++++--------------
2 files changed, 19 insertions(+), 16 deletions(-)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH -stable,5.10 1/3] netfilter: nftables: statify nft_parse_register()
2023-06-26 11:05 [PATCH -stable,5.10 0/3] stable fixes for 5.10 Pablo Neira Ayuso
@ 2023-06-26 11:05 ` Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 2/3] netfilter: nf_tables: validate registers coming from userspace Pablo Neira Ayuso
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-06-26 11:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: stable, carnil
[ 08a01c11a5bb3de9b0a9c9b2685867e50eda9910 ]
This function is not used anymore by any extension, statify it.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 1 -
net/netfilter/nf_tables_api.c | 3 +--
2 files changed, 1 insertion(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 564fbe0c865f..030237f3d82a 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -205,7 +205,6 @@ static inline enum nft_registers nft_type_to_reg(enum nft_data_types type)
}
int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
-unsigned int nft_parse_register(const struct nlattr *attr);
int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fe51cedd9cc3..e1e1cde42075 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8489,7 +8489,7 @@ EXPORT_SYMBOL_GPL(nft_parse_u32_check);
* Registers used to be 128 bit wide, these register numbers will be
* mapped to the corresponding 32 bit register numbers.
*/
-unsigned int nft_parse_register(const struct nlattr *attr)
+static unsigned int nft_parse_register(const struct nlattr *attr)
{
unsigned int reg;
@@ -8501,7 +8501,6 @@ unsigned int nft_parse_register(const struct nlattr *attr)
return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
}
}
-EXPORT_SYMBOL_GPL(nft_parse_register);
/**
* nft_dump_register - dump a register value to a netlink attribute
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH -stable,5.10 2/3] netfilter: nf_tables: validate registers coming from userspace.
2023-06-26 11:05 [PATCH -stable,5.10 0/3] stable fixes for 5.10 Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 1/3] netfilter: nftables: statify nft_parse_register() Pablo Neira Ayuso
@ 2023-06-26 11:05 ` Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 3/3] netfilter: nf_tables: hold mutex on netns pre_exit path Pablo Neira Ayuso
2023-06-26 15:27 ` [PATCH -stable,5.10 0/3] stable fixes for 5.10 Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-06-26 11:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: stable, carnil
[ 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 ]
Bail out in case userspace uses unsupported registers.
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 31 +++++++++++++++++--------------
1 file changed, 17 insertions(+), 14 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index e1e1cde42075..0b2a6f988e9b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8480,26 +8480,23 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
}
EXPORT_SYMBOL_GPL(nft_parse_u32_check);
-/**
- * nft_parse_register - parse a register value from a netlink attribute
- *
- * @attr: netlink attribute
- *
- * Parse and translate a register value from a netlink attribute.
- * Registers used to be 128 bit wide, these register numbers will be
- * mapped to the corresponding 32 bit register numbers.
- */
-static unsigned int nft_parse_register(const struct nlattr *attr)
+static int nft_parse_register(const struct nlattr *attr, u32 *preg)
{
unsigned int reg;
reg = ntohl(nla_get_be32(attr));
switch (reg) {
case NFT_REG_VERDICT...NFT_REG_4:
- return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
+ *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
+ break;
+ case NFT_REG32_00...NFT_REG32_15:
+ *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
+ break;
default:
- return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
+ return -ERANGE;
}
+
+ return 0;
}
/**
@@ -8550,7 +8547,10 @@ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
u32 reg;
int err;
- reg = nft_parse_register(attr);
+ err = nft_parse_register(attr, ®);
+ if (err < 0)
+ return err;
+
err = nft_validate_register_load(reg, len);
if (err < 0)
return err;
@@ -8619,7 +8619,10 @@ int nft_parse_register_store(const struct nft_ctx *ctx,
int err;
u32 reg;
- reg = nft_parse_register(attr);
+ err = nft_parse_register(attr, ®);
+ if (err < 0)
+ return err;
+
err = nft_validate_register_store(ctx, reg, data, type, len);
if (err < 0)
return err;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH -stable,5.10 3/3] netfilter: nf_tables: hold mutex on netns pre_exit path
2023-06-26 11:05 [PATCH -stable,5.10 0/3] stable fixes for 5.10 Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 1/3] netfilter: nftables: statify nft_parse_register() Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 2/3] netfilter: nf_tables: validate registers coming from userspace Pablo Neira Ayuso
@ 2023-06-26 11:05 ` Pablo Neira Ayuso
2023-06-26 15:27 ` [PATCH -stable,5.10 0/3] stable fixes for 5.10 Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2023-06-26 11:05 UTC (permalink / raw)
To: netfilter-devel; +Cc: stable, carnil
[ 3923b1e4406680d57da7e873da77b1683035d83f ]
clean_net() runs in workqueue while walking over the lists, grab mutex.
Fixes: 767d1216bff8 ("netfilter: nftables: fix possible UAF over chains from packet path in netns")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 0b2a6f988e9b..f5607d4359bb 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8980,7 +8980,9 @@ static int __net_init nf_tables_init_net(struct net *net)
static void __net_exit nf_tables_pre_exit_net(struct net *net)
{
+ mutex_lock(&net->nft.commit_mutex);
__nft_release_hooks(net);
+ mutex_unlock(&net->nft.commit_mutex);
}
static void __net_exit nf_tables_exit_net(struct net *net)
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH -stable,5.10 0/3] stable fixes for 5.10
2023-06-26 11:05 [PATCH -stable,5.10 0/3] stable fixes for 5.10 Pablo Neira Ayuso
` (2 preceding siblings ...)
2023-06-26 11:05 ` [PATCH -stable,5.10 3/3] netfilter: nf_tables: hold mutex on netns pre_exit path Pablo Neira Ayuso
@ 2023-06-26 15:27 ` Greg KH
3 siblings, 0 replies; 5+ messages in thread
From: Greg KH @ 2023-06-26 15:27 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, stable, carnil
On Mon, Jun 26, 2023 at 01:05:03PM +0200, Pablo Neira Ayuso wrote:
> Hi Greg, Sasha,
>
> The following batch contains Netfilter fixes for 5.10.
>
> Patches 1 and 2 you can manually cherry-pick them:
>
> 1) 08a01c11a5bb ("netfilter: nftables: statify nft_parse_register()")
> 2) 98494660a286 ("netfilter: nf_tables: validate registers coming from userspace.")
>
> Patch 3 is a backport:
>
> 3) 99e73e80d3df ("netfilter: nf_tables: hold mutex on netns pre_exit path")
>
> Thanks.
>
> Pablo Neira Ayuso (3):
> netfilter: nftables: statify nft_parse_register()
> netfilter: nf_tables: validate registers coming from userspace.
> netfilter: nf_tables: hold mutex on netns pre_exit path
>
> include/net/netfilter/nf_tables.h | 1 -
> net/netfilter/nf_tables_api.c | 34 +++++++++++++++++--------------
> 2 files changed, 19 insertions(+), 16 deletions(-)
>
> --
> 2.30.2
>
All now queued up, thanks.
greg k-h
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2023-06-26 15:27 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-26 11:05 [PATCH -stable,5.10 0/3] stable fixes for 5.10 Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 1/3] netfilter: nftables: statify nft_parse_register() Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 2/3] netfilter: nf_tables: validate registers coming from userspace Pablo Neira Ayuso
2023-06-26 11:05 ` [PATCH -stable,5.10 3/3] netfilter: nf_tables: hold mutex on netns pre_exit path Pablo Neira Ayuso
2023-06-26 15:27 ` [PATCH -stable,5.10 0/3] stable fixes for 5.10 Greg KH
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.