* [PATCH net 0/6] Netfilter fixes for net @ 2023-07-05 23:04 Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso ` (5 more replies) 0 siblings, 6 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet Hi, The following patchset contains Netfilter fixes for net: 1) Fix missing overflow use refcount checks in nf_tables. 2) Do not set IPS_ASSURED for IPS_NAT_CLASH entries in GRE tracker, from Florian Westphal. 3) Bail out if nf_ct_helper_hash is NULL before registering helper, from Florent Revest. 4) Use siphash() instead siphash_4u64() to fix performance regression, also from Florian. 5) Do not allow to add rules to removed chains via ID, from Thadeu Lima de Souza Cascardo. 6) Fix oob read access in byteorder expression, also from Thadeu. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-07-06 Thanks. ---------------------------------------------------------------- The following changes since commit c451410ca7e3d8eeb31d141fc20c200e21754ba4: Merge branch 'mptcp-fixes' (2023-07-05 10:51:14 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-06 for you to fetch changes up to caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval (2023-07-06 00:53:14 +0200) ---------------------------------------------------------------- netfilter pull request 23-07-06 ---------------------------------------------------------------- Florent Revest (1): netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Florian Westphal (2): netfilter: conntrack: gre: don't set assured flag for clash entries netfilter: conntrack: don't fold port numbers into addresses before hashing Pablo Neira Ayuso (1): netfilter: nf_tables: report use refcount overflow Thadeu Lima de Souza Cascardo (2): netfilter: nf_tables: do not ignore genmask when looking up chain by id netfilter: nf_tables: prevent OOB access in nft_byteorder_eval include/net/netfilter/nf_conntrack_tuple.h | 3 + include/net/netfilter/nf_tables.h | 31 ++++- net/netfilter/nf_conntrack_core.c | 20 ++-- net/netfilter/nf_conntrack_helper.c | 4 + net/netfilter/nf_conntrack_proto_gre.c | 10 +- net/netfilter/nf_tables_api.c | 174 ++++++++++++++++++----------- net/netfilter/nft_byteorder.c | 14 +-- net/netfilter/nft_flow_offload.c | 6 +- net/netfilter/nft_immediate.c | 8 +- net/netfilter/nft_objref.c | 8 +- 10 files changed, 178 insertions(+), 100 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso @ 2023-07-05 23:04 ` Pablo Neira Ayuso 2023-07-06 9:01 ` Paolo Abeni 2023-07-06 9:20 ` patchwork-bot+netdevbpf 2023-07-05 23:04 ` [PATCH net 2/6] netfilter: conntrack: gre: don't set assured flag for clash entries Pablo Neira Ayuso ` (4 subsequent siblings) 5 siblings, 2 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet Overflow use refcount checks are not complete. Add helper function to deal with object reference counter tracking. Report -EMFILE in case UINT_MAX is reached. nft_use_dec() splats in case that reference counter underflows, which should not ever happen. Add nft_use_inc_restore() and nft_use_dec_restore() which are used to restore reference counter from error and abort paths. Use u32 in nft_flowtable and nft_object since helper functions cannot work on bitfields. Remove the few early incomplete checks now that the helper functions are in place and used to check for refcount overflow. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_tables.h | 31 +++++- net/netfilter/nf_tables_api.c | 163 ++++++++++++++++++------------ net/netfilter/nft_flow_offload.c | 6 +- net/netfilter/nft_immediate.c | 8 +- net/netfilter/nft_objref.c | 8 +- 5 files changed, 141 insertions(+), 75 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 84f2fd85fd5a..640441a2f926 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1211,6 +1211,29 @@ int __nft_release_basechain(struct nft_ctx *ctx); unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); +static inline bool nft_use_inc(u32 *use) +{ + if (*use == UINT_MAX) + return false; + + (*use)++; + + return true; +} + +static inline void nft_use_dec(u32 *use) +{ + WARN_ON_ONCE((*use)-- == 0); +} + +/* For error and abort path: restore use counter to previous state. */ +static inline void nft_use_inc_restore(u32 *use) +{ + WARN_ON_ONCE(!nft_use_inc(use)); +} + +#define nft_use_dec_restore nft_use_dec + /** * struct nft_table - nf_tables table * @@ -1296,8 +1319,8 @@ struct nft_object { struct list_head list; struct rhlist_head rhlhead; struct nft_object_hash_key key; - u32 genmask:2, - use:30; + u32 genmask:2; + u32 use; u64 handle; u16 udlen; u8 *udata; @@ -1399,8 +1422,8 @@ struct nft_flowtable { char *name; int hooknum; int ops_len; - u32 genmask:2, - use:30; + u32 genmask:2; + u32 use; u64 handle; /* runtime data below here */ struct list_head hook_list ____cacheline_aligned; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 9573a8fcad79..86b3c4de7f40 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -253,8 +253,10 @@ int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain) if (chain->bound) return -EBUSY; + if (!nft_use_inc(&chain->use)) + return -EMFILE; + chain->bound = true; - chain->use++; nft_chain_trans_bind(ctx, chain); return 0; @@ -437,7 +439,7 @@ static int nft_delchain(struct nft_ctx *ctx) if (IS_ERR(trans)) return PTR_ERR(trans); - ctx->table->use--; + nft_use_dec(&ctx->table->use); nft_deactivate_next(ctx->net, ctx->chain); return 0; @@ -476,7 +478,7 @@ nf_tables_delrule_deactivate(struct nft_ctx *ctx, struct nft_rule *rule) /* You cannot delete the same rule twice */ if (nft_is_active_next(ctx->net, rule)) { nft_deactivate_next(ctx->net, rule); - ctx->chain->use--; + nft_use_dec(&ctx->chain->use); return 0; } return -ENOENT; @@ -644,7 +646,7 @@ static int nft_delset(const struct nft_ctx *ctx, struct nft_set *set) nft_map_deactivate(ctx, set); nft_deactivate_next(ctx->net, set); - ctx->table->use--; + nft_use_dec(&ctx->table->use); return err; } @@ -676,7 +678,7 @@ static int nft_delobj(struct nft_ctx *ctx, struct nft_object *obj) return err; nft_deactivate_next(ctx->net, obj); - ctx->table->use--; + nft_use_dec(&ctx->table->use); return err; } @@ -711,7 +713,7 @@ static int nft_delflowtable(struct nft_ctx *ctx, return err; nft_deactivate_next(ctx->net, flowtable); - ctx->table->use--; + nft_use_dec(&ctx->table->use); return err; } @@ -2396,9 +2398,6 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, struct nft_chain *chain; int err; - if (table->use == UINT_MAX) - return -EOVERFLOW; - if (nla[NFTA_CHAIN_HOOK]) { struct nft_stats __percpu *stats = NULL; struct nft_chain_hook hook = {}; @@ -2494,6 +2493,11 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, if (err < 0) goto err_destroy_chain; + if (!nft_use_inc(&table->use)) { + err = -EMFILE; + goto err_use; + } + trans = nft_trans_chain_add(ctx, NFT_MSG_NEWCHAIN); if (IS_ERR(trans)) { err = PTR_ERR(trans); @@ -2510,10 +2514,11 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, goto err_unregister_hook; } - table->use++; - return 0; + err_unregister_hook: + nft_use_dec_restore(&table->use); +err_use: nf_tables_unregister_hook(net, table, chain); err_destroy_chain: nf_tables_chain_destroy(ctx); @@ -3840,9 +3845,6 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, return -EINVAL; handle = nf_tables_alloc_handle(table); - if (chain->use == UINT_MAX) - return -EOVERFLOW; - if (nla[NFTA_RULE_POSITION]) { pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); old_rule = __nft_rule_lookup(chain, pos_handle); @@ -3936,6 +3938,11 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, } } + if (!nft_use_inc(&chain->use)) { + err = -EMFILE; + goto err_release_rule; + } + if (info->nlh->nlmsg_flags & NLM_F_REPLACE) { err = nft_delrule(&ctx, old_rule); if (err < 0) @@ -3967,7 +3974,6 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, } } kvfree(expr_info); - chain->use++; if (flow) nft_trans_flow_rule(trans) = flow; @@ -3978,6 +3984,7 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, return 0; err_destroy_flow_rule: + nft_use_dec_restore(&chain->use); if (flow) nft_flow_rule_destroy(flow); err_release_rule: @@ -5014,9 +5021,15 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, alloc_size = sizeof(*set) + size + udlen; if (alloc_size < size || alloc_size > INT_MAX) return -ENOMEM; + + if (!nft_use_inc(&table->use)) + return -EMFILE; + set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT); - if (!set) - return -ENOMEM; + if (!set) { + err = -ENOMEM; + goto err_alloc; + } name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT); if (!name) { @@ -5074,7 +5087,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, goto err_set_expr_alloc; list_add_tail_rcu(&set->list, &table->sets); - table->use++; + return 0; err_set_expr_alloc: @@ -5086,6 +5099,9 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info, kfree(set->name); err_set_name: kvfree(set); +err_alloc: + nft_use_dec_restore(&table->use); + return err; } @@ -5224,9 +5240,6 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, struct nft_set_binding *i; struct nft_set_iter iter; - if (set->use == UINT_MAX) - return -EOVERFLOW; - if (!list_empty(&set->bindings) && nft_set_is_anonymous(set)) return -EBUSY; @@ -5254,10 +5267,12 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, return iter.err; } bind: + if (!nft_use_inc(&set->use)) + return -EMFILE; + binding->chain = ctx->chain; list_add_tail_rcu(&binding->list, &set->bindings); nft_set_trans_bind(ctx, set); - set->use++; return 0; } @@ -5331,7 +5346,7 @@ void nf_tables_activate_set(const struct nft_ctx *ctx, struct nft_set *set) nft_clear(ctx->net, set); } - set->use++; + nft_use_inc_restore(&set->use); } EXPORT_SYMBOL_GPL(nf_tables_activate_set); @@ -5347,7 +5362,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, else list_del_rcu(&binding->list); - set->use--; + nft_use_dec(&set->use); break; case NFT_TRANS_PREPARE: if (nft_set_is_anonymous(set)) { @@ -5356,7 +5371,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, nft_deactivate_next(ctx->net, set); } - set->use--; + nft_use_dec(&set->use); return; case NFT_TRANS_ABORT: case NFT_TRANS_RELEASE: @@ -5364,7 +5379,7 @@ void nf_tables_deactivate_set(const struct nft_ctx *ctx, struct nft_set *set, set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) nft_map_deactivate(ctx, set); - set->use--; + nft_use_dec(&set->use); fallthrough; default: nf_tables_unbind_set(ctx, set, binding, @@ -6155,7 +6170,7 @@ void nft_set_elem_destroy(const struct nft_set *set, void *elem, nft_set_elem_expr_destroy(&ctx, nft_set_ext_expr(ext)); if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) - (*nft_set_ext_obj(ext))->use--; + nft_use_dec(&(*nft_set_ext_obj(ext))->use); kfree(elem); } EXPORT_SYMBOL_GPL(nft_set_elem_destroy); @@ -6657,8 +6672,16 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, set->objtype, genmask); if (IS_ERR(obj)) { err = PTR_ERR(obj); + obj = NULL; goto err_parse_key_end; } + + if (!nft_use_inc(&obj->use)) { + err = -EMFILE; + obj = NULL; + goto err_parse_key_end; + } + err = nft_set_ext_add(&tmpl, NFT_SET_EXT_OBJREF); if (err < 0) goto err_parse_key_end; @@ -6727,10 +6750,9 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, if (flags) *nft_set_ext_flags(ext) = flags; - if (obj) { + if (obj) *nft_set_ext_obj(ext) = obj; - obj->use++; - } + if (ulen > 0) { if (nft_set_ext_check(&tmpl, NFT_SET_EXT_USERDATA, ulen) < 0) { err = -EINVAL; @@ -6798,12 +6820,13 @@ static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, kfree(trans); err_elem_free: nf_tables_set_elem_destroy(ctx, set, elem.priv); - if (obj) - obj->use--; err_parse_data: if (nla[NFTA_SET_ELEM_DATA] != NULL) nft_data_release(&elem.data.val, desc.type); err_parse_key_end: + if (obj) + nft_use_dec_restore(&obj->use); + nft_data_release(&elem.key_end.val, NFT_DATA_VALUE); err_parse_key: nft_data_release(&elem.key.val, NFT_DATA_VALUE); @@ -6883,7 +6906,7 @@ void nft_data_hold(const struct nft_data *data, enum nft_data_types type) case NFT_JUMP: case NFT_GOTO: chain = data->verdict.chain; - chain->use++; + nft_use_inc_restore(&chain->use); break; } } @@ -6898,7 +6921,7 @@ static void nft_setelem_data_activate(const struct net *net, if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) nft_data_hold(nft_set_ext_data(ext), set->dtype); if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) - (*nft_set_ext_obj(ext))->use++; + nft_use_inc_restore(&(*nft_set_ext_obj(ext))->use); } static void nft_setelem_data_deactivate(const struct net *net, @@ -6910,7 +6933,7 @@ static void nft_setelem_data_deactivate(const struct net *net, if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA)) nft_data_release(nft_set_ext_data(ext), set->dtype); if (nft_set_ext_exists(ext, NFT_SET_EXT_OBJREF)) - (*nft_set_ext_obj(ext))->use--; + nft_use_dec(&(*nft_set_ext_obj(ext))->use); } static int nft_del_setelem(struct nft_ctx *ctx, struct nft_set *set, @@ -7453,9 +7476,14 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); + if (!nft_use_inc(&table->use)) + return -EMFILE; + type = nft_obj_type_get(net, objtype); - if (IS_ERR(type)) - return PTR_ERR(type); + if (IS_ERR(type)) { + err = PTR_ERR(type); + goto err_type; + } obj = nft_obj_init(&ctx, type, nla[NFTA_OBJ_DATA]); if (IS_ERR(obj)) { @@ -7489,7 +7517,7 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, goto err_obj_ht; list_add_tail_rcu(&obj->list, &table->objects); - table->use++; + return 0; err_obj_ht: /* queued in transaction log */ @@ -7505,6 +7533,9 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info, kfree(obj); err_init: module_put(type->owner); +err_type: + nft_use_dec_restore(&table->use); + return err; } @@ -7906,7 +7937,7 @@ void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, case NFT_TRANS_PREPARE: case NFT_TRANS_ABORT: case NFT_TRANS_RELEASE: - flowtable->use--; + nft_use_dec(&flowtable->use); fallthrough; default: return; @@ -8260,9 +8291,14 @@ static int nf_tables_newflowtable(struct sk_buff *skb, nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); + if (!nft_use_inc(&table->use)) + return -EMFILE; + flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT); - if (!flowtable) - return -ENOMEM; + if (!flowtable) { + err = -ENOMEM; + goto flowtable_alloc; + } flowtable->table = table; flowtable->handle = nf_tables_alloc_handle(table); @@ -8317,7 +8353,6 @@ static int nf_tables_newflowtable(struct sk_buff *skb, goto err5; list_add_tail_rcu(&flowtable->list, &table->flowtables); - table->use++; return 0; err5: @@ -8334,6 +8369,9 @@ static int nf_tables_newflowtable(struct sk_buff *skb, kfree(flowtable->name); err1: kfree(flowtable); +flowtable_alloc: + nft_use_dec_restore(&table->use); + return err; } @@ -9713,7 +9751,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) */ if (nft_set_is_anonymous(nft_trans_set(trans)) && !list_empty(&nft_trans_set(trans)->bindings)) - trans->ctx.table->use--; + nft_use_dec(&trans->ctx.table->use); } nf_tables_set_notify(&trans->ctx, nft_trans_set(trans), NFT_MSG_NEWSET, GFP_KERNEL); @@ -9943,7 +9981,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) nft_trans_destroy(trans); break; } - trans->ctx.table->use--; + nft_use_dec_restore(&trans->ctx.table->use); nft_chain_del(trans->ctx.chain); nf_tables_unregister_hook(trans->ctx.net, trans->ctx.table, @@ -9956,7 +9994,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) list_splice(&nft_trans_chain_hooks(trans), &nft_trans_basechain(trans)->hook_list); } else { - trans->ctx.table->use++; + nft_use_inc_restore(&trans->ctx.table->use); nft_clear(trans->ctx.net, trans->ctx.chain); } nft_trans_destroy(trans); @@ -9966,7 +10004,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) nft_trans_destroy(trans); break; } - trans->ctx.chain->use--; + nft_use_dec_restore(&trans->ctx.chain->use); list_del_rcu(&nft_trans_rule(trans)->list); nft_rule_expr_deactivate(&trans->ctx, nft_trans_rule(trans), @@ -9976,7 +10014,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) break; case NFT_MSG_DELRULE: case NFT_MSG_DESTROYRULE: - trans->ctx.chain->use++; + nft_use_inc_restore(&trans->ctx.chain->use); nft_clear(trans->ctx.net, nft_trans_rule(trans)); nft_rule_expr_activate(&trans->ctx, nft_trans_rule(trans)); if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD) @@ -9989,7 +10027,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) nft_trans_destroy(trans); break; } - trans->ctx.table->use--; + nft_use_dec_restore(&trans->ctx.table->use); if (nft_trans_set_bound(trans)) { nft_trans_destroy(trans); break; @@ -9998,7 +10036,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) break; case NFT_MSG_DELSET: case NFT_MSG_DESTROYSET: - trans->ctx.table->use++; + nft_use_inc_restore(&trans->ctx.table->use); nft_clear(trans->ctx.net, nft_trans_set(trans)); if (nft_trans_set(trans)->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) nft_map_activate(&trans->ctx, nft_trans_set(trans)); @@ -10042,13 +10080,13 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) nft_obj_destroy(&trans->ctx, nft_trans_obj_newobj(trans)); nft_trans_destroy(trans); } else { - trans->ctx.table->use--; + nft_use_dec_restore(&trans->ctx.table->use); nft_obj_del(nft_trans_obj(trans)); } break; case NFT_MSG_DELOBJ: case NFT_MSG_DESTROYOBJ: - trans->ctx.table->use++; + nft_use_inc_restore(&trans->ctx.table->use); nft_clear(trans->ctx.net, nft_trans_obj(trans)); nft_trans_destroy(trans); break; @@ -10057,7 +10095,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) nft_unregister_flowtable_net_hooks(net, &nft_trans_flowtable_hooks(trans)); } else { - trans->ctx.table->use--; + nft_use_dec_restore(&trans->ctx.table->use); list_del_rcu(&nft_trans_flowtable(trans)->list); nft_unregister_flowtable_net_hooks(net, &nft_trans_flowtable(trans)->hook_list); @@ -10069,7 +10107,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action) list_splice(&nft_trans_flowtable_hooks(trans), &nft_trans_flowtable(trans)->hook_list); } else { - trans->ctx.table->use++; + nft_use_inc_restore(&trans->ctx.table->use); nft_clear(trans->ctx.net, nft_trans_flowtable(trans)); } nft_trans_destroy(trans); @@ -10518,8 +10556,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, if (desc->flags & NFT_DATA_DESC_SETELEM && chain->flags & NFT_CHAIN_BINDING) return -EINVAL; + if (!nft_use_inc(&chain->use)) + return -EMFILE; - chain->use++; data->verdict.chain = chain; break; } @@ -10537,7 +10576,7 @@ static void nft_verdict_uninit(const struct nft_data *data) case NFT_JUMP: case NFT_GOTO: chain = data->verdict.chain; - chain->use--; + nft_use_dec(&chain->use); break; } } @@ -10706,11 +10745,11 @@ int __nft_release_basechain(struct nft_ctx *ctx) nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain); list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) { list_del(&rule->list); - ctx->chain->use--; + nft_use_dec(&ctx->chain->use); nf_tables_rule_release(ctx, rule); } nft_chain_del(ctx->chain); - ctx->table->use--; + nft_use_dec(&ctx->table->use); nf_tables_chain_destroy(ctx); return 0; @@ -10760,18 +10799,18 @@ static void __nft_release_table(struct net *net, struct nft_table *table) ctx.chain = chain; list_for_each_entry_safe(rule, nr, &chain->rules, list) { list_del(&rule->list); - chain->use--; + nft_use_dec(&chain->use); nf_tables_rule_release(&ctx, rule); } } list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { list_del(&flowtable->list); - table->use--; + nft_use_dec(&table->use); nf_tables_flowtable_destroy(flowtable); } list_for_each_entry_safe(set, ns, &table->sets, list) { list_del(&set->list); - table->use--; + nft_use_dec(&table->use); if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) nft_map_deactivate(&ctx, set); @@ -10779,13 +10818,13 @@ static void __nft_release_table(struct net *net, struct nft_table *table) } list_for_each_entry_safe(obj, ne, &table->objects, list) { nft_obj_del(obj); - table->use--; + nft_use_dec(&table->use); nft_obj_destroy(&ctx, obj); } list_for_each_entry_safe(chain, nc, &table->chains, list) { ctx.chain = chain; nft_chain_del(chain); - table->use--; + nft_use_dec(&table->use); nf_tables_chain_destroy(&ctx); } nf_tables_table_destroy(&ctx); diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 5ef9146e74ad..ab3362c483b4 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -408,8 +408,10 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx, if (IS_ERR(flowtable)) return PTR_ERR(flowtable); + if (!nft_use_inc(&flowtable->use)) + return -EMFILE; + priv->flowtable = flowtable; - flowtable->use++; return nf_ct_netns_get(ctx->net, ctx->family); } @@ -428,7 +430,7 @@ static void nft_flow_offload_activate(const struct nft_ctx *ctx, { struct nft_flow_offload *priv = nft_expr_priv(expr); - priv->flowtable->use++; + nft_use_inc_restore(&priv->flowtable->use); } static void nft_flow_offload_destroy(const struct nft_ctx *ctx, diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c index 3d76ebfe8939..407d7197f75b 100644 --- a/net/netfilter/nft_immediate.c +++ b/net/netfilter/nft_immediate.c @@ -159,7 +159,7 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx, default: nft_chain_del(chain); chain->bound = false; - chain->table->use--; + nft_use_dec(&chain->table->use); break; } break; @@ -198,7 +198,7 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx, * let the transaction records release this chain and its rules. */ if (chain->bound) { - chain->use--; + nft_use_dec(&chain->use); break; } @@ -206,9 +206,9 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx, chain_ctx = *ctx; chain_ctx.chain = chain; - chain->use--; + nft_use_dec(&chain->use); list_for_each_entry_safe(rule, n, &chain->rules, list) { - chain->use--; + nft_use_dec(&chain->use); list_del(&rule->list); nf_tables_rule_destroy(&chain_ctx, rule); } diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c index a48dd5b5d45b..509011b1ef59 100644 --- a/net/netfilter/nft_objref.c +++ b/net/netfilter/nft_objref.c @@ -41,8 +41,10 @@ static int nft_objref_init(const struct nft_ctx *ctx, if (IS_ERR(obj)) return -ENOENT; + if (!nft_use_inc(&obj->use)) + return -EMFILE; + nft_objref_priv(expr) = obj; - obj->use++; return 0; } @@ -72,7 +74,7 @@ static void nft_objref_deactivate(const struct nft_ctx *ctx, if (phase == NFT_TRANS_COMMIT) return; - obj->use--; + nft_use_dec(&obj->use); } static void nft_objref_activate(const struct nft_ctx *ctx, @@ -80,7 +82,7 @@ static void nft_objref_activate(const struct nft_ctx *ctx, { struct nft_object *obj = nft_objref_priv(expr); - obj->use++; + nft_use_inc_restore(&obj->use); } static const struct nft_expr_ops nft_objref_ops = { -- 2.30.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow 2023-07-05 23:04 ` [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso @ 2023-07-06 9:01 ` Paolo Abeni 2023-07-06 9:20 ` patchwork-bot+netdevbpf 1 sibling, 0 replies; 19+ messages in thread From: Paolo Abeni @ 2023-07-06 9:01 UTC (permalink / raw) To: Pablo Neira Ayuso, netfilter-devel; +Cc: davem, netdev, kuba, edumazet On Thu, 2023-07-06 at 01:04 +0200, Pablo Neira Ayuso wrote: > Overflow use refcount checks are not complete. > > Add helper function to deal with object reference counter tracking. > Report -EMFILE in case UINT_MAX is reached. > > nft_use_dec() splats in case that reference counter underflows, > which should not ever happen. For the records, I also once had the need for an non atomic reference counters implementing sanity checks on underflows/overflows. I resorted to use plain refcount_t, since the atomic op overhead was not noticeable in my use-case. [not blocking this series, just thinking aloud] I'm wondering if a generic, non-atomic refcounter infra could be useful? Cheers, Paolo ^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow 2023-07-05 23:04 ` [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso 2023-07-06 9:01 ` Paolo Abeni @ 2023-07-06 9:20 ` patchwork-bot+netdevbpf 1 sibling, 0 replies; 19+ messages in thread From: patchwork-bot+netdevbpf @ 2023-07-06 9:20 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet Hello: This series was applied to netdev/net.git (main) by Pablo Neira Ayuso <pablo@netfilter.org>: On Thu, 6 Jul 2023 01:04:01 +0200 you wrote: > Overflow use refcount checks are not complete. > > Add helper function to deal with object reference counter tracking. > Report -EMFILE in case UINT_MAX is reached. > > nft_use_dec() splats in case that reference counter underflows, > which should not ever happen. > > [...] Here is the summary with links: - [net,1/6] netfilter: nf_tables: report use refcount overflow https://git.kernel.org/netdev/net/c/1689f25924ad - [net,2/6] netfilter: conntrack: gre: don't set assured flag for clash entries https://git.kernel.org/netdev/net/c/8a9dc07ba924 - [net,3/6] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free https://git.kernel.org/netdev/net/c/6eef7a2b9338 - [net,4/6] netfilter: conntrack: don't fold port numbers into addresses before hashing https://git.kernel.org/netdev/net/c/eaf9e7192ec9 - [net,5/6] netfilter: nf_tables: do not ignore genmask when looking up chain by id https://git.kernel.org/netdev/net/c/515ad530795c - [net,6/6] netfilter: nf_tables: prevent OOB access in nft_byteorder_eval https://git.kernel.org/netdev/net/c/caf3ef7468f7 You are awesome, thank you! -- Deet-doot-dot, I am a bot. https://korg.docs.kernel.org/patchwork/pwbot.html ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 2/6] netfilter: conntrack: gre: don't set assured flag for clash entries 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso @ 2023-07-05 23:04 ` Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 3/6] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Pablo Neira Ayuso ` (3 subsequent siblings) 5 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet From: Florian Westphal <fw@strlen.de> Now that conntrack core is allowd to insert clashing entries, make sure GRE won't set assured flag on NAT_CLASH entries, just like UDP. Doing so prevents early_drop logic for these entries. Fixes: d671fd82eaa9 ("netfilter: conntrack: allow insertion clash of gre protocol") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_conntrack_proto_gre.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index ad6f0ca40cd2..af369e686fc5 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c @@ -205,6 +205,8 @@ int nf_conntrack_gre_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo, const struct nf_hook_state *state) { + unsigned long status; + if (!nf_ct_is_confirmed(ct)) { unsigned int *timeouts = nf_ct_timeout_lookup(ct); @@ -217,11 +219,17 @@ int nf_conntrack_gre_packet(struct nf_conn *ct, ct->proto.gre.timeout = timeouts[GRE_CT_UNREPLIED]; } + status = READ_ONCE(ct->status); /* If we've seen traffic both ways, this is a GRE connection. * Extend timeout. */ - if (ct->status & IPS_SEEN_REPLY) { + if (status & IPS_SEEN_REPLY) { nf_ct_refresh_acct(ct, ctinfo, skb, ct->proto.gre.stream_timeout); + + /* never set ASSURED for IPS_NAT_CLASH, they time out soon */ + if (unlikely((status & IPS_NAT_CLASH))) + return NF_ACCEPT; + /* Also, more likely to be important, and not a probe. */ if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) nf_conntrack_event_cache(IPCT_ASSURED, ct); -- 2.30.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH net 3/6] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 2/6] netfilter: conntrack: gre: don't set assured flag for clash entries Pablo Neira Ayuso @ 2023-07-05 23:04 ` Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 4/6] netfilter: conntrack: don't fold port numbers into addresses before hashing Pablo Neira Ayuso ` (2 subsequent siblings) 5 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet From: Florent Revest <revest@chromium.org> If nf_conntrack_init_start() fails (for example due to a register_nf_conntrack_bpf() failure), the nf_conntrack_helper_fini() clean-up path frees the nf_ct_helper_hash map. When built with NF_CONNTRACK=y, further netfilter modules (e.g: netfilter_conntrack_ftp) can still be loaded and call nf_conntrack_helpers_register(), independently of whether nf_conntrack initialized correctly. This accesses the nf_ct_helper_hash dangling pointer and causes a uaf, possibly leading to random memory corruption. This patch guards nf_conntrack_helper_register() from accessing a freed or uninitialized nf_ct_helper_hash pointer and fixes possible uses-after-free when loading a conntrack module. Cc: stable@vger.kernel.org Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure") Signed-off-by: Florent Revest <revest@chromium.org> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_conntrack_helper.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 0c4db2f2ac43..f22691f83853 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -360,6 +360,9 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me) BUG_ON(me->expect_class_max >= NF_CT_MAX_EXPECT_CLASSES); BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1); + if (!nf_ct_helper_hash) + return -ENOENT; + if (me->expect_policy->max_expected > NF_CT_EXPECT_MAX_CNT) return -EINVAL; @@ -515,4 +518,5 @@ int nf_conntrack_helper_init(void) void nf_conntrack_helper_fini(void) { kvfree(nf_ct_helper_hash); + nf_ct_helper_hash = NULL; } -- 2.30.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH net 4/6] netfilter: conntrack: don't fold port numbers into addresses before hashing 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso ` (2 preceding siblings ...) 2023-07-05 23:04 ` [PATCH net 3/6] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Pablo Neira Ayuso @ 2023-07-05 23:04 ` Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 5/6] netfilter: nf_tables: do not ignore genmask when looking up chain by id Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 6/6] netfilter: nf_tables: prevent OOB access in nft_byteorder_eval Pablo Neira Ayuso 5 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet From: Florian Westphal <fw@strlen.de> Originally this used jhash2() over tuple and folded the zone id, the pernet hash value, destination port and l4 protocol number into the 32bit seed value. When the switch to siphash was done, I used an on-stack temporary buffer to build a suitable key to be hashed via siphash(). But this showed up as performance regression, so I got rid of the temporary copy and collected to-be-hashed data in 4 u64 variables. This makes it easy to build tuples that produce the same hash, which isn't desirable even though chain lengths are limited. Switch back to plain siphash, but just like with jhash2(), take advantage of the fact that most of to-be-hashed data is already in a suitable order. Use an empty struct as annotation in 'struct nf_conntrack_tuple' to mark last member that can be used as hash input. The only remaining data that isn't present in the tuple structure are the zone identifier and the pernet hash: fold those into the key. Fixes: d2c806abcf0b ("netfilter: conntrack: use siphash_4u64") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_conntrack_tuple.h | 3 +++ net/netfilter/nf_conntrack_core.c | 20 +++++++------------- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h index 9334371c94e2..f7dd950ff250 100644 --- a/include/net/netfilter/nf_conntrack_tuple.h +++ b/include/net/netfilter/nf_conntrack_tuple.h @@ -67,6 +67,9 @@ struct nf_conntrack_tuple { /* The protocol. */ u_int8_t protonum; + /* The direction must be ignored for the tuplehash */ + struct { } __nfct_hash_offsetend; + /* The direction (for tuplehash) */ u_int8_t dir; } dst; diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index d119f1d4c2fc..992393102d5f 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -211,24 +211,18 @@ static u32 hash_conntrack_raw(const struct nf_conntrack_tuple *tuple, unsigned int zoneid, const struct net *net) { - u64 a, b, c, d; + siphash_key_t key; get_random_once(&nf_conntrack_hash_rnd, sizeof(nf_conntrack_hash_rnd)); - /* The direction must be ignored, handle usable tuplehash members manually */ - a = (u64)tuple->src.u3.all[0] << 32 | tuple->src.u3.all[3]; - b = (u64)tuple->dst.u3.all[0] << 32 | tuple->dst.u3.all[3]; + key = nf_conntrack_hash_rnd; - c = (__force u64)tuple->src.u.all << 32 | (__force u64)tuple->dst.u.all << 16; - c |= tuple->dst.protonum; + key.key[0] ^= zoneid; + key.key[1] ^= net_hash_mix(net); - d = (u64)zoneid << 32 | net_hash_mix(net); - - /* IPv4: u3.all[1,2,3] == 0 */ - c ^= (u64)tuple->src.u3.all[1] << 32 | tuple->src.u3.all[2]; - d += (u64)tuple->dst.u3.all[1] << 32 | tuple->dst.u3.all[2]; - - return (u32)siphash_4u64(a, b, c, d, &nf_conntrack_hash_rnd); + return siphash((void *)tuple, + offsetofend(struct nf_conntrack_tuple, dst.__nfct_hash_offsetend), + &key); } static u32 scale_hash(u32 hash) -- 2.30.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH net 5/6] netfilter: nf_tables: do not ignore genmask when looking up chain by id 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso ` (3 preceding siblings ...) 2023-07-05 23:04 ` [PATCH net 4/6] netfilter: conntrack: don't fold port numbers into addresses before hashing Pablo Neira Ayuso @ 2023-07-05 23:04 ` Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 6/6] netfilter: nf_tables: prevent OOB access in nft_byteorder_eval Pablo Neira Ayuso 5 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> When adding a rule to a chain referring to its ID, if that chain had been deleted on the same batch, the rule might end up referring to a deleted chain. This will lead to a WARNING like following: [ 33.098431] ------------[ cut here ]------------ [ 33.098678] WARNING: CPU: 5 PID: 69 at net/netfilter/nf_tables_api.c:2037 nf_tables_chain_destroy+0x23d/0x260 [ 33.099217] Modules linked in: [ 33.099388] CPU: 5 PID: 69 Comm: kworker/5:1 Not tainted 6.4.0+ #409 [ 33.099726] Workqueue: events nf_tables_trans_destroy_work [ 33.100018] RIP: 0010:nf_tables_chain_destroy+0x23d/0x260 [ 33.100306] Code: 8b 7c 24 68 e8 64 9c ed fe 4c 89 e7 e8 5c 9c ed fe 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 c3 cc cc cc cc <0f> 0b 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d 31 c0 89 c6 89 c7 [ 33.101271] RSP: 0018:ffffc900004ffc48 EFLAGS: 00010202 [ 33.101546] RAX: 0000000000000001 RBX: ffff888006fc0a28 RCX: 0000000000000000 [ 33.101920] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 33.102649] RBP: ffffc900004ffc78 R08: 0000000000000000 R09: 0000000000000000 [ 33.103018] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8880135ef500 [ 33.103385] R13: 0000000000000000 R14: dead000000000122 R15: ffff888006fc0a10 [ 33.103762] FS: 0000000000000000(0000) GS:ffff888024c80000(0000) knlGS:0000000000000000 [ 33.104184] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 33.104493] CR2: 00007fe863b56a50 CR3: 00000000124b0001 CR4: 0000000000770ee0 [ 33.104872] PKRU: 55555554 [ 33.104999] Call Trace: [ 33.105113] <TASK> [ 33.105214] ? show_regs+0x72/0x90 [ 33.105371] ? __warn+0xa5/0x210 [ 33.105520] ? nf_tables_chain_destroy+0x23d/0x260 [ 33.105732] ? report_bug+0x1f2/0x200 [ 33.105902] ? handle_bug+0x46/0x90 [ 33.106546] ? exc_invalid_op+0x19/0x50 [ 33.106762] ? asm_exc_invalid_op+0x1b/0x20 [ 33.106995] ? nf_tables_chain_destroy+0x23d/0x260 [ 33.107249] ? nf_tables_chain_destroy+0x30/0x260 [ 33.107506] nf_tables_trans_destroy_work+0x669/0x680 [ 33.107782] ? mark_held_locks+0x28/0xa0 [ 33.107996] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [ 33.108294] ? _raw_spin_unlock_irq+0x28/0x70 [ 33.108538] process_one_work+0x68c/0xb70 [ 33.108755] ? lock_acquire+0x17f/0x420 [ 33.108977] ? __pfx_process_one_work+0x10/0x10 [ 33.109218] ? do_raw_spin_lock+0x128/0x1d0 [ 33.109435] ? _raw_spin_lock_irq+0x71/0x80 [ 33.109634] worker_thread+0x2bd/0x700 [ 33.109817] ? __pfx_worker_thread+0x10/0x10 [ 33.110254] kthread+0x18b/0x1d0 [ 33.110410] ? __pfx_kthread+0x10/0x10 [ 33.110581] ret_from_fork+0x29/0x50 [ 33.110757] </TASK> [ 33.110866] irq event stamp: 1651 [ 33.111017] hardirqs last enabled at (1659): [<ffffffffa206a209>] __up_console_sem+0x79/0xa0 [ 33.111379] hardirqs last disabled at (1666): [<ffffffffa206a1ee>] __up_console_sem+0x5e/0xa0 [ 33.111740] softirqs last enabled at (1616): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0 [ 33.112094] softirqs last disabled at (1367): [<ffffffffa1f5d40e>] __irq_exit_rcu+0x9e/0xe0 [ 33.112453] ---[ end trace 0000000000000000 ]--- This is due to the nft_chain_lookup_byid ignoring the genmask. After this change, adding the new rule will fail as it will not find the chain. Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") Cc: stable@vger.kernel.org Reported-by: Mingi Cho of Theori working with ZDI Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_tables_api.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 86b3c4de7f40..237f739da3ca 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2699,7 +2699,7 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, static struct nft_chain *nft_chain_lookup_byid(const struct net *net, const struct nft_table *table, - const struct nlattr *nla) + const struct nlattr *nla, u8 genmask) { struct nftables_pernet *nft_net = nft_pernet(net); u32 id = ntohl(nla_get_be32(nla)); @@ -2710,7 +2710,8 @@ static struct nft_chain *nft_chain_lookup_byid(const struct net *net, if (trans->msg_type == NFT_MSG_NEWCHAIN && chain->table == table && - id == nft_trans_chain_id(trans)) + id == nft_trans_chain_id(trans) && + nft_active_genmask(chain, genmask)) return chain; } return ERR_PTR(-ENOENT); @@ -3814,7 +3815,8 @@ static int nf_tables_newrule(struct sk_buff *skb, const struct nfnl_info *info, return -EOPNOTSUPP; } else if (nla[NFTA_RULE_CHAIN_ID]) { - chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID]); + chain = nft_chain_lookup_byid(net, table, nla[NFTA_RULE_CHAIN_ID], + genmask); if (IS_ERR(chain)) { NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_CHAIN_ID]); return PTR_ERR(chain); @@ -10540,7 +10542,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, genmask); } else if (tb[NFTA_VERDICT_CHAIN_ID]) { chain = nft_chain_lookup_byid(ctx->net, ctx->table, - tb[NFTA_VERDICT_CHAIN_ID]); + tb[NFTA_VERDICT_CHAIN_ID], + genmask); if (IS_ERR(chain)) return PTR_ERR(chain); } else { -- 2.30.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH net 6/6] netfilter: nf_tables: prevent OOB access in nft_byteorder_eval 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso ` (4 preceding siblings ...) 2023-07-05 23:04 ` [PATCH net 5/6] netfilter: nf_tables: do not ignore genmask when looking up chain by id Pablo Neira Ayuso @ 2023-07-05 23:04 ` Pablo Neira Ayuso 5 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-07-05 23:04 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> When evaluating byteorder expressions with size 2, a union with 32-bit and 16-bit members is used. Since the 16-bit members are aligned to 32-bit, the array accesses will be out-of-bounds. It may lead to a stack-out-of-bounds access like the one below: [ 23.095215] ================================================================== [ 23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320 [ 23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115 [ 23.096358] [ 23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413 [ 23.096770] Call Trace: [ 23.096910] <IRQ> [ 23.097030] dump_stack_lvl+0x60/0xc0 [ 23.097218] print_report+0xcf/0x630 [ 23.097388] ? nft_byteorder_eval+0x13c/0x320 [ 23.097577] ? kasan_addr_to_slab+0xd/0xc0 [ 23.097760] ? nft_byteorder_eval+0x13c/0x320 [ 23.097949] kasan_report+0xc9/0x110 [ 23.098106] ? nft_byteorder_eval+0x13c/0x320 [ 23.098298] __asan_load2+0x83/0xd0 [ 23.098453] nft_byteorder_eval+0x13c/0x320 [ 23.098659] nft_do_chain+0x1c8/0xc50 [ 23.098852] ? __pfx_nft_do_chain+0x10/0x10 [ 23.099078] ? __kasan_check_read+0x11/0x20 [ 23.099295] ? __pfx___lock_acquire+0x10/0x10 [ 23.099535] ? __pfx___lock_acquire+0x10/0x10 [ 23.099745] ? __kasan_check_read+0x11/0x20 [ 23.099929] nft_do_chain_ipv4+0xfe/0x140 [ 23.100105] ? __pfx_nft_do_chain_ipv4+0x10/0x10 [ 23.100327] ? lock_release+0x204/0x400 [ 23.100515] ? nf_hook.constprop.0+0x340/0x550 [ 23.100779] nf_hook_slow+0x6c/0x100 [ 23.100977] ? __pfx_nft_do_chain_ipv4+0x10/0x10 [ 23.101223] nf_hook.constprop.0+0x334/0x550 [ 23.101443] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 23.101677] ? __pfx_nf_hook.constprop.0+0x10/0x10 [ 23.101882] ? __pfx_ip_rcv_finish+0x10/0x10 [ 23.102071] ? __pfx_ip_local_deliver_finish+0x10/0x10 [ 23.102291] ? rcu_read_lock_held+0x4b/0x70 [ 23.102481] ip_local_deliver+0xbb/0x110 [ 23.102665] ? __pfx_ip_rcv+0x10/0x10 [ 23.102839] ip_rcv+0x199/0x2a0 [ 23.102980] ? __pfx_ip_rcv+0x10/0x10 [ 23.103140] __netif_receive_skb_one_core+0x13e/0x150 [ 23.103362] ? __pfx___netif_receive_skb_one_core+0x10/0x10 [ 23.103647] ? mark_held_locks+0x48/0xa0 [ 23.103819] ? process_backlog+0x36c/0x380 [ 23.103999] __netif_receive_skb+0x23/0xc0 [ 23.104179] process_backlog+0x91/0x380 [ 23.104350] __napi_poll.constprop.0+0x66/0x360 [ 23.104589] ? net_rx_action+0x1cb/0x610 [ 23.104811] net_rx_action+0x33e/0x610 [ 23.105024] ? _raw_spin_unlock+0x23/0x50 [ 23.105257] ? __pfx_net_rx_action+0x10/0x10 [ 23.105485] ? mark_held_locks+0x48/0xa0 [ 23.105741] __do_softirq+0xfa/0x5ab [ 23.105956] ? __dev_queue_xmit+0x765/0x1c00 [ 23.106193] do_softirq.part.0+0x49/0xc0 [ 23.106423] </IRQ> [ 23.106547] <TASK> [ 23.106670] __local_bh_enable_ip+0xf5/0x120 [ 23.106903] __dev_queue_xmit+0x789/0x1c00 [ 23.107131] ? __pfx___dev_queue_xmit+0x10/0x10 [ 23.107381] ? find_held_lock+0x8e/0xb0 [ 23.107585] ? lock_release+0x204/0x400 [ 23.107798] ? neigh_resolve_output+0x185/0x350 [ 23.108049] ? mark_held_locks+0x48/0xa0 [ 23.108265] ? neigh_resolve_output+0x185/0x350 [ 23.108514] neigh_resolve_output+0x246/0x350 [ 23.108753] ? neigh_resolve_output+0x246/0x350 [ 23.109003] ip_finish_output2+0x3c3/0x10b0 [ 23.109250] ? __pfx_ip_finish_output2+0x10/0x10 [ 23.109510] ? __pfx_nf_hook+0x10/0x10 [ 23.109732] __ip_finish_output+0x217/0x390 [ 23.109978] ip_finish_output+0x2f/0x130 [ 23.110207] ip_output+0xc9/0x170 [ 23.110404] ip_push_pending_frames+0x1a0/0x240 [ 23.110652] raw_sendmsg+0x102e/0x19e0 [ 23.110871] ? __pfx_raw_sendmsg+0x10/0x10 [ 23.111093] ? lock_release+0x204/0x400 [ 23.111304] ? __mod_lruvec_page_state+0x148/0x330 [ 23.111567] ? find_held_lock+0x8e/0xb0 [ 23.111777] ? find_held_lock+0x8e/0xb0 [ 23.111993] ? __rcu_read_unlock+0x7c/0x2f0 [ 23.112225] ? aa_sk_perm+0x18a/0x550 [ 23.112431] ? filemap_map_pages+0x4f1/0x900 [ 23.112665] ? __pfx_aa_sk_perm+0x10/0x10 [ 23.112880] ? find_held_lock+0x8e/0xb0 [ 23.113098] inet_sendmsg+0xa0/0xb0 [ 23.113297] ? inet_sendmsg+0xa0/0xb0 [ 23.113500] ? __pfx_inet_sendmsg+0x10/0x10 [ 23.113727] sock_sendmsg+0xf4/0x100 [ 23.113924] ? move_addr_to_kernel.part.0+0x4f/0xa0 [ 23.114190] __sys_sendto+0x1d4/0x290 [ 23.114391] ? __pfx___sys_sendto+0x10/0x10 [ 23.114621] ? __pfx_mark_lock.part.0+0x10/0x10 [ 23.114869] ? lock_release+0x204/0x400 [ 23.115076] ? find_held_lock+0x8e/0xb0 [ 23.115287] ? rcu_is_watching+0x23/0x60 [ 23.115503] ? __rseq_handle_notify_resume+0x6e2/0x860 [ 23.115778] ? __kasan_check_write+0x14/0x30 [ 23.116008] ? blkcg_maybe_throttle_current+0x8d/0x770 [ 23.116285] ? mark_held_locks+0x28/0xa0 [ 23.116503] ? do_syscall_64+0x37/0x90 [ 23.116713] __x64_sys_sendto+0x7f/0xb0 [ 23.116924] do_syscall_64+0x59/0x90 [ 23.117123] ? irqentry_exit_to_user_mode+0x25/0x30 [ 23.117387] ? irqentry_exit+0x77/0xb0 [ 23.117593] ? exc_page_fault+0x92/0x140 [ 23.117806] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 23.118081] RIP: 0033:0x7f744aee2bba [ 23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89 [ 23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba [ 23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003 [ 23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010 [ 23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 [ 23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0 [ 23.121617] </TASK> [ 23.121749] [ 23.121845] The buggy address belongs to the virtual mapping at [ 23.121845] [ffffc90000000000, ffffc90000009000) created by: [ 23.121845] irq_init_percpu_irqstack+0x1cf/0x270 [ 23.122707] [ 23.122803] The buggy address belongs to the physical page: [ 23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09 [ 23.123609] flags: 0xfffffc0001000(reserved|node=0|zone=1|lastcpupid=0x1fffff) [ 23.123998] page_type: 0xffffffff() [ 23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000 [ 23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000 [ 23.125023] page dumped because: kasan: bad access detected [ 23.125326] [ 23.125421] Memory state around the buggy address: [ 23.125682] ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 23.126072] ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 [ 23.126455] >ffffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 [ 23.126840] ^ [ 23.127138] ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 [ 23.127522] ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 [ 23.127906] ================================================================== [ 23.128324] Disabling lock debugging due to kernel taint Using simple s16 pointers for the 16-bit accesses fixes the problem. For the 32-bit accesses, src and dst can be used directly. Fixes: 96518518cc41 ("netfilter: add nftables") Cc: stable@vger.kernel.org Reported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nft_byteorder.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c index 9a85e797ed58..e596d1a842f7 100644 --- a/net/netfilter/nft_byteorder.c +++ b/net/netfilter/nft_byteorder.c @@ -30,11 +30,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, const struct nft_byteorder *priv = nft_expr_priv(expr); u32 *src = ®s->data[priv->sreg]; u32 *dst = ®s->data[priv->dreg]; - union { u32 u32; u16 u16; } *s, *d; + u16 *s16, *d16; unsigned int i; - s = (void *)src; - d = (void *)dst; + s16 = (void *)src; + d16 = (void *)dst; switch (priv->size) { case 8: { @@ -62,11 +62,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, switch (priv->op) { case NFT_BYTEORDER_NTOH: for (i = 0; i < priv->len / 4; i++) - d[i].u32 = ntohl((__force __be32)s[i].u32); + dst[i] = ntohl((__force __be32)src[i]); break; case NFT_BYTEORDER_HTON: for (i = 0; i < priv->len / 4; i++) - d[i].u32 = (__force __u32)htonl(s[i].u32); + dst[i] = (__force __u32)htonl(src[i]); break; } break; @@ -74,11 +74,11 @@ void nft_byteorder_eval(const struct nft_expr *expr, switch (priv->op) { case NFT_BYTEORDER_NTOH: for (i = 0; i < priv->len / 2; i++) - d[i].u16 = ntohs((__force __be16)s[i].u16); + d16[i] = ntohs((__force __be16)s16[i]); break; case NFT_BYTEORDER_HTON: for (i = 0; i < priv->len / 2; i++) - d[i].u16 = (__force __u16)htons(s[i].u16); + d16[i] = (__force __u16)htons(s16[i]); break; } break; -- 2.30.2 ^ permalink raw reply related [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2024-05-22 23:13 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2024-05-22 23:13 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw Hi, The following patchset contains Netfilter fixes for net: Patch #1 syzbot reports that nf_reinject() could be called without rcu_read_lock() when flushing pending packets at nfnetlink queue removal, from Eric Dumazet. Patch #2 flushes ipset list:set when canceling garbage collection to reference to other lists to fix a race, from Jozsef Kadlecsik. Patch #3 restores q-in-q matching with nft_payload by reverting f6ae9f120dad ("netfilter: nft_payload: add C-VLAN support"). Patch #4 fixes vlan mangling in skbuff when vlan offload is present in skbuff, without this patch nft_payload corrupts packets in this case. Patch #5 fixes possible nul-deref in tproxy no IP address is found in netdevice, reported by syzbot and patch from Florian Westphal. Patch #6 removes a superfluous restriction which prevents loose fib lookups from input and forward hooks, from Eric Garver. My assessment is that patches #1, #2 and #5 address possible kernel crash, anything else in this batch fixes broken features. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-05-23 Thanks. ---------------------------------------------------------------- The following changes since commit 4b377b4868ef17b040065bd468668c707d2477a5: kprobe/ftrace: fix build error due to bad function definition (2024-05-17 19:17:55 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-05-23 for you to fetch changes up to 4878baa295a377fa9116dbeb43208272efc1cb1b: netfilter: nft_fib: allow from forward/input without iif selector (2024-05-21 16:37:01 +0200) ---------------------------------------------------------------- netfilter pull request 24-05-23 ---------------------------------------------------------------- Alexander Maltsev (1): netfilter: ipset: Add list flush to cancel_gc Eric Dumazet (1): netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() Eric Garver (1): netfilter: nft_fib: allow from forward/input without iif selector Florian Westphal (1): netfilter: tproxy: bail out if IP has been disabled on the device Pablo Neira Ayuso (2): netfilter: nft_payload: restore vlan q-in-q match support netfilter: nft_payload: skbuff vlan metadata mangle support net/ipv4/netfilter/nf_tproxy_ipv4.c | 2 + net/netfilter/ipset/ip_set_list_set.c | 3 ++ net/netfilter/nfnetlink_queue.c | 2 + net/netfilter/nft_fib.c | 8 ++- net/netfilter/nft_payload.c | 95 ++++++++++++++++++++++++++--------- 5 files changed, 82 insertions(+), 28 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2024-04-04 10:43 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2024-04-04 10:43 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet Hi, The following patchset contains Netfilter fixes for net: Patch #1 unlike early commit path stage which triggers a call to abort, an explicit release of the batch is required on abort, otherwise mutex is released and commit_list remains in place. Patch #2 release mutex after nft_gc_seq_end() in commit path, otherwise async GC worker could collect expired objects. Patch #3 flush pending destroy work in module removal path, otherwise UaF is possible. Patch #4 and #6 restrict the table dormant flag with basechain updates to fix state inconsistency in the hook registration. Patch #5 adds missing RCU read side lock to flowtable type to avoid races with module removal. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-04 Thanks. ---------------------------------------------------------------- The following changes since commit 72076fc9fe60b9143cd971fd8737718719bc512e: Revert "tg3: Remove residual error handling in tg3_suspend" (2024-04-04 10:51:01 +0200) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-04-04 for you to fetch changes up to 1bc83a019bbe268be3526406245ec28c2458a518: netfilter: nf_tables: discard table flag update with pending basechain deletion (2024-04-04 11:38:35 +0200) ---------------------------------------------------------------- netfilter pull request 24-04-04 ---------------------------------------------------------------- Pablo Neira Ayuso (5): netfilter: nf_tables: release batch on table validation from abort path netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path netfilter: nf_tables: flush pending destroy work before exit_net release netfilter: nf_tables: reject new basechain after table flag update netfilter: nf_tables: discard table flag update with pending basechain deletion Ziyang Xuan (1): netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() net/netfilter/nf_tables_api.c | 50 +++++++++++++++++++++++++++++-------------- 1 file changed, 34 insertions(+), 16 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2024-01-31 22:59 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2024-01-31 22:59 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw Hi, The following patchset contains Netfilter fixes for net: 1) TCP conntrack now only evaluates window negotiation for packets in the REPLY direction, from Ryan Schaefer. Otherwise SYN retransmissions trigger incorrect window scale negotiation. From Ryan Schaefer. 2) Restrict tunnel objects to NFPROTO_NETDEV which is where it makes sense to use this object type. 3) Fix conntrack pick up from the middle of SCTP_CID_SHUTDOWN_ACK packets. From Xin Long. 4) Another attempt from Jozsef Kadlecsik to address the slow down of the swap command in ipset. 5) Replace a BUG_ON by WARN_ON_ONCE in nf_log, and consolidate check for the case that the logger is NULL from the read side lock section. 6) Address lack of sanitization for custom expectations. Restrict layer 3 and 4 families to what it is supported by userspace. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-31 Thanks. ---------------------------------------------------------------- The following changes since commit a2933a8759a62269754e54733d993b19de870e84: selftests: bonding: do not test arp/ns target with mode balance-alb/tlb (2024-01-25 09:50:54 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-31 for you to fetch changes up to 8059918a1377f2f1fff06af4f5a4ed3d5acd6bc4: netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations (2024-01-31 23:14:14 +0100) ---------------------------------------------------------------- netfilter pull request 24-01-31 ---------------------------------------------------------------- Jozsef Kadlecsik (1): netfilter: ipset: fix performance regression in swap operation Pablo Neira Ayuso (3): netfilter: nf_tables: restrict tunnel object to NFPROTO_NETDEV netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations Ryan Schaefer (1): netfilter: conntrack: correct window scaling with retransmitted SYN Xin Long (1): netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new include/linux/netfilter/ipset/ip_set.h | 4 ++++ include/net/netfilter/nf_tables.h | 2 ++ net/netfilter/ipset/ip_set_bitmap_gen.h | 14 ++++++++++--- net/netfilter/ipset/ip_set_core.c | 37 +++++++++++++++++++++++++-------- net/netfilter/ipset/ip_set_hash_gen.h | 15 ++++++++++--- net/netfilter/ipset/ip_set_list_set.c | 13 +++++++++--- net/netfilter/nf_conntrack_proto_sctp.c | 2 +- net/netfilter/nf_conntrack_proto_tcp.c | 10 +++++---- net/netfilter/nf_log.c | 7 ++++--- net/netfilter/nf_tables_api.c | 14 ++++++++----- net/netfilter/nft_ct.c | 24 +++++++++++++++++++++ net/netfilter/nft_tunnel.c | 1 + 12 files changed, 112 insertions(+), 31 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2024-01-24 19:12 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2024-01-24 19:12 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw Hi, The following patchset contains Netfilter fixes for net: 1) Update nf_tables kdoc to keep it in sync with the code, from George Guo. 2) Handle NETDEV_UNREGISTER event for inet/ingress basechain. 3) Reject configuration that cause nft_limit to overflow, from Florian Westphal. 4) Restrict anonymous set/map names to 16 bytes, from Florian Westphal. 5) Disallow to encode queue number and error in verdicts. This reverts a patch which seems to have introduced an early attempt to support for nfqueue maps, which is these days supported via nft_queue expression. 6) Sanitize family via .validate for expressions that explicitly refer to NF_INET_* hooks. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-01-24 Thanks. ---------------------------------------------------------------- The following changes since commit 32f2a0afa95fae0d1ceec2ff06e0e816939964b8: net/sched: flower: Fix chain template offload (2024-01-24 01:33:59 +0000) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-01-24 for you to fetch changes up to d0009effa8862c20a13af4cb7475d9771b905693: netfilter: nf_tables: validate NFPROTO_* family (2024-01-24 20:02:40 +0100) ---------------------------------------------------------------- netfilter pull request 24-01-24 ---------------------------------------------------------------- Florian Westphal (3): netfilter: nft_limit: reject configurations that cause integer overflow netfilter: nf_tables: restrict anonymous set and map names to 16 bytes netfilter: nf_tables: reject QUEUE/DROP verdict parameters George Guo (1): netfilter: nf_tables: cleanup documentation Pablo Neira Ayuso (2): netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain netfilter: nf_tables: validate NFPROTO_* family include/net/netfilter/nf_tables.h | 49 +++++++++++++++++++++++++++++++-------- net/netfilter/nf_tables_api.c | 20 ++++++++-------- net/netfilter/nft_chain_filter.c | 11 +++++++-- net/netfilter/nft_compat.c | 12 ++++++++++ net/netfilter/nft_flow_offload.c | 5 ++++ net/netfilter/nft_limit.c | 23 ++++++++++++------ net/netfilter/nft_nat.c | 5 ++++ net/netfilter/nft_rt.c | 5 ++++ net/netfilter/nft_socket.c | 5 ++++ net/netfilter/nft_synproxy.c | 7 ++++-- net/netfilter/nft_tproxy.c | 5 ++++ net/netfilter/nft_xfrm.c | 5 ++++ 12 files changed, 121 insertions(+), 31 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2023-12-06 18:03 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-12-06 18:03 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw Hi, The following patchset contains Netfilter fixes for net: 1) Incorrect nf_defrag registration for bpf link infra, from D. Wythe. 2) Skip inactive elements in pipapo set backend walk to avoid double deactivation, from Florian Westphal. 3) Fix NFT_*_F_PRESENT check with big endian arch, also from Florian. 4) Bail out if number of expressions in NFTA_DYNSET_EXPRESSIONS mismatch stateful expressions in set declaration. 5) Honor family in table lookup by handle. Broken since 4.16. 6) Use sk_callback_lock to protect access to sk->sk_socket in xt_owner. sock_orphan() might zap this pointer, from Phil Sutter. All of these fixes address broken stuff for several releases. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-12-06 Thanks. ---------------------------------------------------------------- The following changes since commit 54d4434da824460a190d547404530eff12a7907d: Merge branch 'hv_netvsc-fix-race-of-netvsc-vf-register-and-slave-bit' (2023-11-21 13:15:05 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-12-06 for you to fetch changes up to 7ae836a3d630e146b732fe8ef7d86b243748751f: netfilter: xt_owner: Fix for unsafe access of sk->sk_socket (2023-12-06 17:52:15 +0100) ---------------------------------------------------------------- netfilter pull request 23-12-06 ---------------------------------------------------------------- D. Wythe (1): netfilter: bpf: fix bad registration on nf_defrag Florian Westphal (2): netfilter: nft_set_pipapo: skip inactive elements during set walk netfilter: nf_tables: fix 'exist' matching on bigendian arches Pablo Neira Ayuso (2): netfilter: nf_tables: bail out on mismatching dynset and set expressions netfilter: nf_tables: validate family when identifying table via handle Phil Sutter (1): netfilter: xt_owner: Fix for unsafe access of sk->sk_socket net/netfilter/nf_bpf_link.c | 10 +++++----- net/netfilter/nf_tables_api.c | 5 +++-- net/netfilter/nft_dynset.c | 13 +++++++++---- net/netfilter/nft_exthdr.c | 4 ++-- net/netfilter/nft_fib.c | 8 ++++++-- net/netfilter/nft_set_pipapo.c | 3 +++ net/netfilter/xt_owner.c | 16 ++++++++++++---- 7 files changed, 40 insertions(+), 19 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2023-11-15 18:45 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-11-15 18:45 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw Hi, The following patchset contains Netfilter fixes for net: 1) Remove unused variable causing compilation warning in nft_set_rbtree, from Yang Li. This unused variable is a left over from previous merge window. 2) Possible return of uninitialized in nf_conntrack_bridge, from Linkui Xiao. This is there since nf_conntrack_bridge is available. 3) Fix incorrect pointer math in nft_byteorder, from Dan Carpenter. Problem has been there since 2016. 4) Fix bogus error in destroy set element command. Problem is there since this new destroy command was added. 5) Fix race condition in ipset between swap and destroy commands and add/del/test control plane. This problem is there since ipset was merged. 6) Split async and sync catchall GC in two function to fix unsafe iteration over RCU. This is a fix-for-fix that was included in the previous pull request. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-11-15 Thanks. ---------------------------------------------------------------- The following changes since commit 4b7b492615cf3017190f55444f7016812b66611d: af_unix: fix use-after-free in unix_stream_read_actor() (2023-11-14 10:51:13 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-11-15 for you to fetch changes up to 8837ba3e58ea1e3d09ae36db80b1e80853aada95: netfilter: nf_tables: split async and sync catchall in two functions (2023-11-14 16:16:21 +0100) ---------------------------------------------------------------- netfilter pull request 23-11-15 ---------------------------------------------------------------- Dan Carpenter (1): netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() Jozsef Kadlecsik (1): netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test Linkui Xiao (1): netfilter: nf_conntrack_bridge: initialize err to 0 Pablo Neira Ayuso (2): netfilter: nf_tables: bogus ENOENT when destroying element which does not exist netfilter: nf_tables: split async and sync catchall in two functions Yang Li (1): netfilter: nft_set_rbtree: Remove unused variable nft_net include/net/netfilter/nf_tables.h | 4 +- net/bridge/netfilter/nf_conntrack_bridge.c | 2 +- net/netfilter/ipset/ip_set_core.c | 14 +++---- net/netfilter/nf_tables_api.c | 60 ++++++++++++++++-------------- net/netfilter/nft_byteorder.c | 5 ++- net/netfilter/nft_meta.c | 2 +- net/netfilter/nft_set_rbtree.c | 2 - 7 files changed, 47 insertions(+), 42 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2023-06-27 6:52 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2023-06-27 6:52 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet Hi, The following patchset contains Netfilter fixes for net: 1) Reset shift on Boyer-Moore string match for each block, from Jeremy Sowden. 2) Fix acccess to non-linear area in DCCP conntrack helper, from Florian Westphal. 3) Fix kernel-doc warnings, by Randy Dunlap. 4) Bail out if expires= does not show in SIP helper message, or make ct_sip_parse_numerical_param() tristate and report error if expires= cannot be parsed. 5) Unbind non-anonymous set in case rule construction fails. 6) Fix underflow in chain reference counter in case set element already exists or it cannot be created. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-06-27 Thanks. ---------------------------------------------------------------- The following changes since commit 6709d4b7bc2e079241fdef15d1160581c5261c10: net: nfc: Fix use-after-free caused by nfc_llcp_find_local (2023-06-26 10:57:23 +0100) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-06-27 for you to fetch changes up to b389139f12f287b8ed2e2628b72df89a081f0b59: netfilter: nf_tables: fix underflow in chain reference counter (2023-06-26 17:18:55 +0200) ---------------------------------------------------------------- netfilter pull request 23-06-27 ---------------------------------------------------------------- Florian Westphal (1): netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Ilia.Gavrilov (1): netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. Jeremy Sowden (1): lib/ts_bm: reset initial match offset for every block of text Pablo Neira Ayuso (2): netfilter: nf_tables: unbind non-anonymous set if rule construction fails netfilter: nf_tables: fix underflow in chain reference counter Randy Dunlap (1): linux/netfilter.h: fix kernel-doc warnings include/linux/netfilter.h | 4 +-- lib/ts_bm.c | 4 ++- net/netfilter/nf_conntrack_proto_dccp.c | 52 +++++++++++++++++++++++++++++++-- net/netfilter/nf_conntrack_sip.c | 2 +- net/netfilter/nf_tables_api.c | 6 +++- 5 files changed, 60 insertions(+), 8 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2022-02-10 23:10 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2022-02-10 23:10 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba Hi, The following patchset contains Netfilter fixes for net: 1) Add selftest for nft_synproxy, from Florian Westphal. 2) xt_socket destroy path incorrectly disables IPv4 defrag for IPv6 traffic (typo), from Eric Dumazet. 3) Fix exit value selftest nft_concat_range.sh, from Hangbin Liu. 4) nft_synproxy disables the IPv4 hooks if the IPv6 hooks fail to be registered. 5) disable rp_filter on router in selftest nft_fib.sh, also from Hangbin Liu. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 7db788ad627aabff2b74d4f1a3b68516d0fee0d7: nfp: flower: fix ida_idx not being released (2022-02-08 21:06:35 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD for you to fetch changes up to bbe4c0896d25009a7c86285d2ab024eed4374eea: selftests: netfilter: disable rp_filter on router (2022-02-11 00:01:04 +0100) ---------------------------------------------------------------- Eric Dumazet (1): netfilter: xt_socket: fix a typo in socket_mt_destroy() Florian Westphal (1): selftests: netfilter: add synproxy test Hangbin Liu (2): selftests: netfilter: fix exit value for nft_concat_range selftests: netfilter: disable rp_filter on router Pablo Neira Ayuso (2): netfilter: nft_synproxy: unregister hooks on init error path selftests: netfilter: synproxy test requires nf_conntrack net/netfilter/nft_synproxy.c | 4 +- net/netfilter/xt_socket.c | 2 +- tools/testing/selftests/netfilter/Makefile | 2 +- .../selftests/netfilter/nft_concat_range.sh | 2 +- tools/testing/selftests/netfilter/nft_fib.sh | 1 + tools/testing/selftests/netfilter/nft_synproxy.sh | 117 +++++++++++++++++++++ 6 files changed, 124 insertions(+), 4 deletions(-) create mode 100755 tools/testing/selftests/netfilter/nft_synproxy.sh ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2022-02-04 15:18 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2022-02-04 15:18 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba Hi, The following patchset contains Netfilter fixes for net: 1) Don't refresh timeout for SCTP flows in CLOSED state. 2) Don't allow access to transport header if fragment offset is set on. 3) Reinitialize internal conntrack state for retransmitted TCP syn-ack packet. 4) Update MAINTAINER file to add the Netfilter group tree. Moving forward, Florian Westphal has access to this tree so he can also send pull requests. 5) Set on IPS_HELPER for entries created via ctnetlink, otherwise NAT might zap it. All patches from Florian Westphal. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit ed14fc7a79ab43e9f2cb1fa9c1733fdc133bba30: net: sparx5: Fix get_stat64 crash in tcpdump (2022-02-03 19:01:15 -0800) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD for you to fetch changes up to d1ca60efc53d665cf89ed847a14a510a81770b81: netfilter: ctnetlink: disable helper autoassign (2022-02-04 05:39:57 +0100) ---------------------------------------------------------------- Florian Westphal (6): netfilter: conntrack: don't refresh sctp entries in closed state netfilter: nft_payload: don't allow th access for fragments netfilter: conntrack: move synack init code to helper netfilter: conntrack: re-init state for retransmitted syn-ack MAINTAINERS: netfilter: update git links netfilter: ctnetlink: disable helper autoassign MAINTAINERS | 4 +- include/uapi/linux/netfilter/nf_conntrack_common.h | 2 +- net/netfilter/nf_conntrack_netlink.c | 3 +- net/netfilter/nf_conntrack_proto_sctp.c | 9 ++++ net/netfilter/nf_conntrack_proto_tcp.c | 59 +++++++++++++++------- net/netfilter/nft_exthdr.c | 2 +- net/netfilter/nft_payload.c | 9 ++-- 7 files changed, 61 insertions(+), 27 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
* [PATCH net 0/6] Netfilter fixes for net @ 2021-07-23 15:54 Pablo Neira Ayuso 0 siblings, 0 replies; 19+ messages in thread From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev, kuba Hi, The following patchset contains Netfilter fixes for net: 1) Memleak in commit audit error path, from Dongliang Mu. 2) Avoid possible false sharing for flowtable timeout updates and nft_last use. 3) Adjust conntrack timestamp due to garbage collection delay, from Florian Westphal. 4) Fix nft_nat without layer 3 address for the inet family. 5) Fix compilation warning in nfnl_hook when ingress support is disabled, from Arnd Bergmann. Please, pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba: net: decnet: Fix sleeping inside in af_decnet (2021-07-16 14:06:16 -0700) are available in the Git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 217e26bd87b2930856726b48a4e71c768b8c9bf5: netfilter: nfnl_hook: fix unused variable warning (2021-07-23 14:45:03 +0200) ---------------------------------------------------------------- Arnd Bergmann (1): netfilter: nfnl_hook: fix unused variable warning Dongliang Mu (1): netfilter: nf_tables: fix audit memory leak in nf_tables_commit Florian Westphal (1): netfilter: conntrack: adjust stop timestamp to real expiry value Pablo Neira Ayuso (3): netfilter: flowtable: avoid possible false sharing netfilter: nft_last: avoid possible false sharing netfilter: nft_nat: allow to specify layer 4 protocol NAT only net/netfilter/nf_conntrack_core.c | 7 ++++++- net/netfilter/nf_flow_table_core.c | 6 +++++- net/netfilter/nf_tables_api.c | 12 ++++++++++++ net/netfilter/nfnetlink_hook.c | 2 ++ net/netfilter/nft_last.c | 20 +++++++++++++------- net/netfilter/nft_nat.c | 4 +++- 6 files changed, 41 insertions(+), 10 deletions(-) ^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2024-05-22 23:14 UTC | newest] Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2023-07-05 23:04 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 1/6] netfilter: nf_tables: report use refcount overflow Pablo Neira Ayuso 2023-07-06 9:01 ` Paolo Abeni 2023-07-06 9:20 ` patchwork-bot+netdevbpf 2023-07-05 23:04 ` [PATCH net 2/6] netfilter: conntrack: gre: don't set assured flag for clash entries Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 3/6] netfilter: conntrack: Avoid nf_ct_helper_hash uses after free Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 4/6] netfilter: conntrack: don't fold port numbers into addresses before hashing Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 5/6] netfilter: nf_tables: do not ignore genmask when looking up chain by id Pablo Neira Ayuso 2023-07-05 23:04 ` [PATCH net 6/6] netfilter: nf_tables: prevent OOB access in nft_byteorder_eval Pablo Neira Ayuso -- strict thread matches above, loose matches on Subject: below -- 2024-05-22 23:13 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso 2024-04-04 10:43 Pablo Neira Ayuso 2024-01-31 22:59 Pablo Neira Ayuso 2024-01-24 19:12 Pablo Neira Ayuso 2023-12-06 18:03 Pablo Neira Ayuso 2023-11-15 18:45 Pablo Neira Ayuso 2023-06-27 6:52 Pablo Neira Ayuso 2022-02-10 23:10 Pablo Neira Ayuso 2022-02-04 15:18 Pablo Neira Ayuso 2021-07-23 15:54 Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.