* [PATCH net 0/3] Netfilter fixes for net
@ 2022-03-17 20:25 Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-17 20:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix PPPoE and QinQ with flowtable inet family.
2) Missing register validation in nf_tables.
3) Initialize registers to avoid stack memleak to userspace.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit dea2d93a8ba437460c5f21bdfa4ada57fa1d2179:
Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue (2022-03-16 10:07:43 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 4c905f6740a365464e91467aa50916555b28213d:
netfilter: nf_tables: initialize registers in nft_do_chain() (2022-03-17 15:50:27 +0100)
----------------------------------------------------------------
Pablo Neira Ayuso (3):
netfilter: flowtable: Fix QinQ and pppoe support for inet table
netfilter: nf_tables: validate registers coming from userspace.
netfilter: nf_tables: initialize registers in nft_do_chain()
include/net/netfilter/nf_flow_table.h | 18 ++++++++++++++++++
net/netfilter/nf_flow_table_inet.c | 17 +++++++++++++++++
net/netfilter/nf_flow_table_ip.c | 18 ------------------
net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
net/netfilter/nf_tables_core.c | 2 +-
5 files changed, 53 insertions(+), 24 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table
2022-03-17 20:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-03-17 20:25 ` Pablo Neira Ayuso
2022-03-18 11:00 ` patchwork-bot+netdevbpf
2022-03-17 20:25 ` [PATCH net 2/3] netfilter: nf_tables: validate registers coming from userspace Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 3/3] netfilter: nf_tables: initialize registers in nft_do_chain() Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-17 20:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
nf_flow_offload_inet_hook() does not check for 802.1q and PPPoE.
Fetch inner ethertype from these encapsulation protocols.
Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
Fixes: 4cd91f7c290f ("netfilter: flowtable: add vlan support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_flow_table.h | 18 ++++++++++++++++++
net/netfilter/nf_flow_table_inet.c | 17 +++++++++++++++++
net/netfilter/nf_flow_table_ip.c | 18 ------------------
3 files changed, 35 insertions(+), 18 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index bd59e950f4d6..64daafd1fc41 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -10,6 +10,8 @@
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <net/flow_offload.h>
#include <net/dst.h>
+#include <linux/if_pppox.h>
+#include <linux/ppp_defs.h>
struct nf_flowtable;
struct nf_flow_rule;
@@ -317,4 +319,20 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
int nf_flow_table_offload_init(void);
void nf_flow_table_offload_exit(void);
+static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
+{
+ __be16 proto;
+
+ proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
+ sizeof(struct pppoe_hdr)));
+ switch (proto) {
+ case htons(PPP_IP):
+ return htons(ETH_P_IP);
+ case htons(PPP_IPV6):
+ return htons(ETH_P_IPV6);
+ }
+
+ return 0;
+}
+
#endif /* _NF_FLOW_TABLE_H */
diff --git a/net/netfilter/nf_flow_table_inet.c b/net/netfilter/nf_flow_table_inet.c
index 5c57ade6bd05..0ccabf3fa6aa 100644
--- a/net/netfilter/nf_flow_table_inet.c
+++ b/net/netfilter/nf_flow_table_inet.c
@@ -6,12 +6,29 @@
#include <linux/rhashtable.h>
#include <net/netfilter/nf_flow_table.h>
#include <net/netfilter/nf_tables.h>
+#include <linux/if_vlan.h>
static unsigned int
nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
+ struct vlan_ethhdr *veth;
+ __be16 proto;
+
switch (skb->protocol) {
+ case htons(ETH_P_8021Q):
+ veth = (struct vlan_ethhdr *)skb_mac_header(skb);
+ proto = veth->h_vlan_encapsulated_proto;
+ break;
+ case htons(ETH_P_PPP_SES):
+ proto = nf_flow_pppoe_proto(skb);
+ break;
+ default:
+ proto = skb->protocol;
+ break;
+ }
+
+ switch (proto) {
case htons(ETH_P_IP):
return nf_flow_offload_ip_hook(priv, skb, state);
case htons(ETH_P_IPV6):
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 889cf88d3dba..6257d87c3a56 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -8,8 +8,6 @@
#include <linux/ipv6.h>
#include <linux/netdevice.h>
#include <linux/if_ether.h>
-#include <linux/if_pppox.h>
-#include <linux/ppp_defs.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <net/ip6_route.h>
@@ -239,22 +237,6 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
return NF_STOLEN;
}
-static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
-{
- __be16 proto;
-
- proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
- sizeof(struct pppoe_hdr)));
- switch (proto) {
- case htons(PPP_IP):
- return htons(ETH_P_IP);
- case htons(PPP_IPV6):
- return htons(ETH_P_IPV6);
- }
-
- return 0;
-}
-
static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto,
u32 *offset)
{
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] netfilter: nf_tables: validate registers coming from userspace.
2022-03-17 20:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table Pablo Neira Ayuso
@ 2022-03-17 20:25 ` Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 3/3] netfilter: nf_tables: initialize registers in nft_do_chain() Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-17 20:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Bail out in case userspace uses unsupported registers.
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d71a33ae39b3..1f5a0eece0d1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9275,17 +9275,23 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
}
EXPORT_SYMBOL_GPL(nft_parse_u32_check);
-static unsigned int nft_parse_register(const struct nlattr *attr)
+static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg)
{
unsigned int reg;
reg = ntohl(nla_get_be32(attr));
switch (reg) {
case NFT_REG_VERDICT...NFT_REG_4:
- return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
+ *preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
+ break;
+ case NFT_REG32_00...NFT_REG32_15:
+ *preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
+ break;
default:
- return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
+ return -ERANGE;
}
+
+ return 0;
}
/**
@@ -9327,7 +9333,10 @@ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
u32 reg;
int err;
- reg = nft_parse_register(attr);
+ err = nft_parse_register(attr, ®);
+ if (err < 0)
+ return err;
+
err = nft_validate_register_load(reg, len);
if (err < 0)
return err;
@@ -9382,7 +9391,10 @@ int nft_parse_register_store(const struct nft_ctx *ctx,
int err;
u32 reg;
- reg = nft_parse_register(attr);
+ err = nft_parse_register(attr, ®);
+ if (err < 0)
+ return err;
+
err = nft_validate_register_store(ctx, reg, data, type, len);
if (err < 0)
return err;
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] netfilter: nf_tables: initialize registers in nft_do_chain()
2022-03-17 20:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 2/3] netfilter: nf_tables: validate registers coming from userspace Pablo Neira Ayuso
@ 2022-03-17 20:25 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-03-17 20:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Initialize registers to avoid stack leak into userspace.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter/nf_tables_core.c
index 36e73f9828c5..8af98239655d 100644
--- a/net/netfilter/nf_tables_core.c
+++ b/net/netfilter/nf_tables_core.c
@@ -201,7 +201,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
const struct nft_rule_dp *rule, *last_rule;
const struct net *net = nft_net(pkt);
const struct nft_expr *expr, *last;
- struct nft_regs regs;
+ struct nft_regs regs = {};
unsigned int stackptr = 0;
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
bool genbit = READ_ONCE(net->nft.gencursor);
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table
2022-03-17 20:25 ` [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table Pablo Neira Ayuso
@ 2022-03-18 11:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-03-18 11:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Thu, 17 Mar 2022 21:25:32 +0100 you wrote:
> nf_flow_offload_inet_hook() does not check for 802.1q and PPPoE.
> Fetch inner ethertype from these encapsulation protocols.
>
> Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support")
> Fixes: 4cd91f7c290f ("netfilter: flowtable: add vlan support")
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
>
> [...]
Here is the summary with links:
- [net,1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table
https://git.kernel.org/netdev/net/c/0492d857636e
- [net,2/3] netfilter: nf_tables: validate registers coming from userspace.
https://git.kernel.org/netdev/net/c/6e1acfa387b9
- [net,3/3] netfilter: nf_tables: initialize registers in nft_do_chain()
https://git.kernel.org/netdev/net/c/4c905f6740a3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-03-18 11:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-03-17 20:25 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 1/3] netfilter: flowtable: Fix QinQ and pppoe support for inet table Pablo Neira Ayuso
2022-03-18 11:00 ` patchwork-bot+netdevbpf
2022-03-17 20:25 ` [PATCH net 2/3] netfilter: nf_tables: validate registers coming from userspace Pablo Neira Ayuso
2022-03-17 20:25 ` [PATCH net 3/3] netfilter: nf_tables: initialize registers in nft_do_chain() Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).