Sync fips legacy 8 compliant 4.18.0 425.13.1.el8.ciqfipscompliant.36.1 #15
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-5563 pre cve CVE-2024-39502 commit-author Neel Patel <[email protected]> commit e8797a058466b60fc5a3291b92430c93ba90eaff upstream-diff some fuzz around placement of the napi_enable() call - the fix for CVE-2024-39502 will place it correctly. Clear the interrupt credits before enabling the queue rather than after to be sure that the enabled queue starts at 0 and that we don't wipe away possible credits after enabling the queue. Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") Signed-off-by: Neel Patel <[email protected]> Signed-off-by: Shannon Nelson <[email protected]> Reviewed-by: Leon Romanovsky <[email protected]> Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit e8797a058466b60fc5a3291b92430c93ba90eaff) Signed-off-by: Greg Rose <[email protected]>
jira VULN-5563 cve CVE-2024-39502 commit-author Taehee Yoo <[email protected]> commit 79f18a41dd056115d685f3b0a419c7cd40055e13 upstream-diff There's other modifications in and around this code in the upstream patch. Also, the napi_enable from the patch gets placed on the wrong line. Remove the extra cruft and move the napi_enable() to where it should be according to the commit. When queues are started, netif_napi_add() and napi_enable() are called. If there are 4 queues and only 3 queues are used for the current configuration, only 3 queues' napi should be registered and enabled. The ionic_qcq_enable() checks whether the .poll pointer is not NULL for enabling only the using queue' napi. Unused queues' napi will not be registered by netif_napi_add(), so the .poll pointer indicates NULL. But it couldn't distinguish whether the napi was unregistered or not because netif_napi_del() doesn't reset the .poll pointer to NULL. So, ionic_qcq_enable() calls napi_enable() for the queue, which was unregistered by netif_napi_del(). Reproducer: ethtool -L <interface name> rx 1 tx 1 combined 0 ethtool -L <interface name> rx 0 tx 0 combined 1 ethtool -L <interface name> rx 0 tx 0 combined 4 Splat looks like: kernel BUG at net/core/dev.c:6666! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 1057 Comm: kworker/3:3 Not tainted 6.10.0-rc2+ #16 Workqueue: events ionic_lif_deferred_work [ionic] RIP: 0010:napi_enable+0x3b/0x40 Code: 48 89 c2 48 83 e2 f6 80 b9 61 09 00 00 00 74 0d 48 83 bf 60 01 00 00 00 74 03 80 ce 01 f0 4f RSP: 0018:ffffb6ed83227d48 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff97560cda0828 RCX: 0000000000000029 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff97560cda0a28 RBP: ffffb6ed83227d50 R08: 0000000000000400 R09: 0000000000000001 R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000000 R13: ffff97560ce3c1a0 R14: 0000000000000000 R15: ffff975613ba0a20 FS: 0000000000000000(0000) GS:ffff975d5f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8f734ee200 CR3: 0000000103e50000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? die+0x33/0x90 ? do_trap+0xd9/0x100 ? napi_enable+0x3b/0x40 ? do_error_trap+0x83/0xb0 ? napi_enable+0x3b/0x40 ? napi_enable+0x3b/0x40 ? exc_invalid_op+0x4e/0x70 ? napi_enable+0x3b/0x40 ? asm_exc_invalid_op+0x16/0x20 ? napi_enable+0x3b/0x40 ionic_qcq_enable+0xb7/0x180 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_start_queues+0xc4/0x290 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_link_status_check+0x11c/0x170 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] ionic_lif_deferred_work+0x129/0x280 [ionic 59bdfc8a035436e1c4224ff7d10789e3f14643f8] process_one_work+0x145/0x360 worker_thread+0x2bb/0x3d0 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 Fixes: 0f3154e6bcb3 ("ionic: Add Tx and Rx handling") Signed-off-by: Taehee Yoo <[email protected]> Reviewed-by: Brett Creeley <[email protected]> Reviewed-by: Shannon Nelson <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jakub Kicinski <[email protected]> (cherry picked from commit 79f18a41dd056115d685f3b0a419c7cd40055e13) Signed-off-by: Greg Rose <[email protected]> Conflicts: drivers/net/ethernet/pensando/ionic/ionic_lif.c
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit aaa31047a6d25da0fa101da1ed544e1247949b40 upstream-diff We only take one small piece of code from this patch. The netfilters folks made a big NO NO by making a commit with a new feature as well as adding some additional safety checks. Red Hat took the additional safety checks but without any of the rest of this rather large upstream patch but this commit has the necessary bits for backporting the remaining netfilter bits for this VULN ticket. This patch extends the set infrastructure to add a special catch-all set element. If the lookup fails to find an element (or range) in the set, then the catch-all element is selected. Users can specify a mapping, expression(s) and timeout to be attached to the catch-all element. This patch adds a catchall list to the set, this list might contain more than one single catch-all element (e.g. in case that the catch-all element is removed and a new one is added in the same transaction). However, most of the time, there will be either one element or no elements at all in this list. The catch-all element is identified via NFT_SET_ELEM_CATCHALL flag and such special element has no NFTA_SET_ELEM_KEY attribute. There is a new nft_set_elem_catchall object that stores a reference to the dummy catch-all element (catchall->elem) whose layout is the same of the set element type to reuse the existing set element codebase. The set size does not apply to the catch-all element, users can define a catch-all element even if the set is full. The check for valid set element flags hava been updates to report EOPNOTSUPP in case userspace requests flags that are not supported when using new userspace nftables and old kernel. Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 Remove spurious code that does not exist in 4.18.0-534 but is still hanging around. Signed-off-by: Greg Rose <[email protected]>
…fication jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 6fb721cf781808ee2ca5e737fb0592cc68de3381 upstream-diff The catchall features from previous commits were not actually backported by Red Hat, so this patch has to work around that. Include the NLM_F_CREATE and NLM_F_EXCL flags in netlink event notifications, otherwise userspace cannot distiguish between create and add commands. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 6fb721cf781808ee2ca5e737fb0592cc68de3381) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 212ed75dc5fb9d1423b3942c8f872a868cda3466 upstream-diff The offsets for the code are too divergent for the upstream patch to apply cleanly, but except for that fuzz I believe it is correct. The pipapo set backend follows copy-on-update approach, maintaining one clone of the existing datastructure that is being updated. The clone and current datastructures are swapped via rcu from the commit step. The existing integration with the commit protocol is flawed because there is no operation to clean up the clone if the transaction is aborted. Moreover, the datastructure swap happens on set element activation. This patch adds two new operations for sets: commit and abort, these new operations are invoked from the commit and abort steps, after the transactions have been digested, and it updates the pipapo set backend to use it. This patch adds a new ->pending_update field to sets to maintain a list of sets that require this new commit and abort operations. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 212ed75dc5fb9d1423b3942c8f872a868cda3466) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b Anonymous sets come with NFT_SET_CONSTANT from userspace. Although API allows to create anonymous sets without NFT_SET_CONSTANT, it makes no sense to allow to add and to delete elements for bound anonymous sets. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit c88c535b592d3baeee74009f3eceeeaf0fdd5e1b) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit b770283c98e0eee9133c47bc03b6cc625dc94723 Disallow updates of set timeout and garbage collection parameters for anonymous sets. Fixes: 123b99619cca ("netfilter: nf_tables: honor set timeout and garbage collection updates") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit b770283c98e0eee9133c47bc03b6cc625dc94723) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit e26d3009efda338f19016df4175f354a9bd0a4ab Never used from userspace, disallow these parameters. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit e26d3009efda338f19016df4175f354a9bd0a4ab) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 04b7db414490ea9254d0c1d8930ea9571f8ce9f0 upstream-diff same as most in this series, patch looks identical but has offset fuzz. This patch adds a helper function to add the chain to the hashtable and the chain list. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 04b7db414490ea9254d0c1d8930ea9571f8ce9f0) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 1689f25924ada8fe14a4a82c38925d04994c7142 upstream-diff This cherry pick is a complete mess and I tried to follow the 5.18.0-534 code as the guiding light, but the upstream diff is a large. Overflow use refcount checks are not complete. Add helper function to deal with object reference counter tracking. Report -EMFILE in case UINT_MAX is reached. nft_use_dec() splats in case that reference counter underflows, which should not ever happen. Add nft_use_inc_restore() and nft_use_dec_restore() which are used to restore reference counter from error and abort paths. Use u32 in nft_flowtable and nft_object since helper functions cannot work on bitfields. Remove the few early incomplete checks now that the helper functions are in place and used to check for refcount overflow. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 1689f25924ada8fe14a4a82c38925d04994c7142) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit ddbd8be68941985f166f5107109a90ce13147c44 On some platforms there is a padding hole in the nft_verdict structure, between the verdict code and the chain pointer. On element insertion, if the new element clashes with an existing one and NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as the data associated with duplicated element is the same as the existing one. The data equality check uses memcmp. For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT padding area leads to spurious failure even if the verdict data is the same. This then makes the insertion fail with 'already exists' error, even though the new "key : data" matches an existing entry and userspace told the kernel that it doesn't want to receive an error indication. Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion") Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit ddbd8be68941985f166f5107109a90ce13147c44) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit 24138933b97b055d486e8064b4a1721702442a9b There is an asymmetry between commit/abort and preparation phase if the following conditions are met: 1. set is a verdict map ("1.2.3.4 : jump foo") 2. timeouts are enabled In this case, following sequence is problematic: 1. element E in set S refers to chain C 2. userspace requests removal of set S 3. kernel does a set walk to decrement chain->use count for all elements from preparation phase 4. kernel does another set walk to remove elements from the commit phase (or another walk to do a chain->use increment for all elements from abort phase) If E has already expired in 1), it will be ignored during list walk, so its use count won't have been changed. Then, when set is culled, ->destroy callback will zap the element via nf_tables_set_elem_destroy(), but this function is only safe for elements that have been deactivated earlier from the preparation phase: lack of earlier deactivate removes the element but leaks the chain use count, which results in a WARN splat when the chain gets removed later, plus a leak of the nft_chain structure. Update pipapo_get() not to skip expired elements, otherwise flush command reports bogus ENOENT errors. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 24138933b97b055d486e8064b4a1721702442a9b) Signed-off-by: Greg Rose <[email protected]>
…functions jira VULN-429 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit f8bb7889af58d8e74d2d61c76b1418230f1610fa Rename: - nft_set_elem_activate() to nft_set_elem_data_activate(). - nft_set_elem_deactivate() to nft_set_elem_data_deactivate(). To prepare for updates in the set element infrastructure to add support for the special catch-all element. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit f8bb7889af58d8e74d2d61c76b1418230f1610fa) Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 pre-cve CVE-2023-4244 commit-author Pablo Neira Ayuso <[email protected]> commit d59d2f82f984df44b31c5d7837fc2f62268b7571 upstream-diff So many conflicts when trying to cherry pick this but they're all very similar and didn't have much trouble picking them out. As per previous commits in this series I've used 4.18.0-534 as the source of truth when resolving conflicts. Consolidate call to net_generic(net, nf_tables_net_id) in this wrapper function. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit d59d2f82f984df44b31c5d7837fc2f62268b7571) Signed-off-by: Greg Rose <[email protected]>
…lane jira VULN-429 cve CVE-2023-4244 commit-author Pablo Neira Ayuso <[email protected]>' commit 5f68718b34a531a556f2f50300ead2862278da26 upstream-diff - Upstream fuzz and conflicts. Resolved by pointing to 4.18.0-534 as the source of truth. The set types rhashtable and rbtree use a GC worker to reclaim memory. From system work queue, in periodic intervals, a scan of the table is done. The major caveat here is that the nft transaction mutex is not held. This causes a race between control plane and GC when they attempt to delete the same element. We cannot grab the netlink mutex from the work queue, because the control plane has to wait for the GC work queue in case the set is to be removed, so we get following deadlock: cpu 1 cpu2 GC work transaction comes in , lock nft mutex `acquire nft mutex // BLOCKS transaction asks to remove the set set destruction calls cancel_work_sync() cancel_work_sync will now block forever, because it is waiting for the mutex the caller already owns. This patch adds a new API that deals with garbage collection in two steps: 1) Lockless GC of expired elements sets on the NFT_SET_ELEM_DEAD_BIT so they are not visible via lookup. Annotate current GC sequence in the GC transaction. Enqueue GC transaction work as soon as it is full. If ruleset is updated, then GC transaction is aborted and retried later. 2) GC work grabs the mutex. If GC sequence has changed then this GC transaction lost race with control plane, abort it as it contains stale references to objects and let GC try again later. If the ruleset is intact, then this GC transaction deactivates and removes the elements and it uses call_rcu() to destroy elements. Note that no elements are removed from GC lockless path, the _DEAD bit is set and pointers are collected. GC catchall does not remove the elements anymore too. There is a new set->dead flag that is set on to abort the GC transaction to deal with set->ops->destroy() path which removes the remaining elements in the set from commit_release, where no mutex is held. To deal with GC when mutex is held, which allows safe deactivate and removal, add sync GC API which releases the set element object via call_rcu(). This is used by rbtree and pipapo backends which also perform garbage collection from control plane path. Since element removal from sets can happen from control plane and element garbage collection/timeout, it is necessary to keep the set structure alive until all elements have been deactivated and destroyed. We cannot do a cancel_work_sync or flush_work in nft_set_destroy because its called with the transaction mutex held, but the aforementioned async work queue might be blocked on the very mutex that nft_set_destroy() callchain is sitting on. This gives us the choice of ABBA deadlock or UaF. To avoid both, add set->refs refcount_t member. The GC API can then increment the set refcount and release it once the elements have been free'd. Set backends are adapted to use the GC transaction API in a follow up patch entitled: ("netfilter: nf_tables: use gc transaction API in set backends") This is joint work with Florian Westphal. Fixes: cfed7e1b1f8e ("netfilter: nf_tables: add set garbage collection helpers") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Greg Rose <[email protected]>
jira VULN-429 cve CVE-2023-4244 commit-author Pablo Neira Ayuso <[email protected]>' commit f6c383b8c31a93752a52697f8430a71dcbc46adf upstream-diff - Upstream fuzz and conflicts. Resolved by pointing to 4.18.0-534 as the source of truth. Previous commiit 5d235d6ce75c is completely overwritten by this commit so we're not backporting it. Use the GC transaction API to replace the old and buggy gc API and the busy mark approach. No set elements are removed from async garbage collection anymore, instead the _DEAD bit is set on so the set element is not visible from lookup path anymore. Async GC enqueues transaction work that might be aborted and retried later. rbtree and pipapo set backends does not set on the _DEAD bit from the sync GC path since this runs in control plane path where mutex is held. In this case, set elements are deactivated, removed and then released via RCU callback, sync GC never fails. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support") Fixes: 9d0982927e79 ("netfilter: nft_hash: add support for timeouts") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit f6c383b8c31a93752a52697f8430a71dcbc46adf) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit a2dd0233cbc4d8a0abb5f64487487ffc9265beb5 upstream-diff cherry-pick occassionally pulls in big blobs of unrelated crap. I had to excise significant portions of code in the process of resolving the conflicts. As per usual in this netfilter series I have relied on 4.18.0-534 code as a source of truth. Ditch it, it has been replace it by the GC transaction API and it has no clients anymore. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit a2dd0233cbc4d8a0abb5f64487487ffc9265beb5) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit b9f052dc68f69dac89fe1e24693354c033daa091 upstream-diff Had to synch to the use of inline from the 4.18.0-534 and also found an upstream diff for lockdep_is_held that I also matched to the 4.18.0-534 kernel code. ->abort invocation may cause splat on debug kernels: WARNING: suspicious RCU usage net/netfilter/nft_set_pipapo.c:1697 suspicious rcu_dereference_check() usage! [..] rcu_scheduler_active = 2, debug_locks = 1 1 lock held by nft/133554: [..] (nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid [..] lockdep_rcu_suspicious+0x1ad/0x260 nft_pipapo_abort+0x145/0x180 __nf_tables_abort+0x5359/0x63d0 nf_tables_abort+0x24/0x40 nfnetlink_rcv+0x1a0a/0x22c0 netlink_unicast+0x73c/0x900 netlink_sendmsg+0x7f0/0xc20 ____sys_sendmsg+0x48d/0x760 Transaction mutex is held, so parallel updates are not possible. Switch to _protected and check mutex is held for lockdep enabled builds. Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol") Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit b9f052dc68f69dac89fe1e24693354c033daa091) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit 08713cb006b6f07434f276c5ee214fb20c7fd965 Jakub Kicinski says: We've got some new kdoc warnings here: net/netfilter/nft_set_pipapo.c:1557: warning: Function parameter or member '_set' not described in 'pipapo_gc' net/netfilter/nft_set_pipapo.c:1557: warning: Excess function parameter 'set' description in 'pipapo_gc' include/net/netfilter/nf_tables.h:577: warning: Function parameter or member 'dead' not described in 'nft_set' Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") Reported-by: Jakub Kicinski <[email protected]> Closes: https://lore.kernel.org/netdev/[email protected]/ Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit 08713cb006b6f07434f276c5ee214fb20c7fd965) Signed-off-by: Greg Rose <[email protected]> (cherry picked from commit ddcae6925219c35588313d4f84e103e8a885e457) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit 7845914f45f066497ac75b30c50dbc735e84e884 nftables selftests fail: run-tests.sh testcases/sets/0044interval_overlap_0 Expected: 0-2 . 0-3, got: W: [FAILED] ./testcases/sets/0044interval_overlap_0: got 1 Insertion must ignore duplicate but expired entries. Moreover, there is a strange asymmetry in nft_pipapo_activate: It refetches the current element, whereas the other ->activate callbacks (bitmap, hash, rhash, rbtree) use elem->priv. Same for .remove: other set implementations take elem->priv, nft_pipapo_remove fetches elem->priv, then does a relookup, remove this. I suspect this was the reason for the change that prompted the removal of the expired check in pipapo_get() in the first place, but skipping exired elements there makes no sense to me, this helper is used for normal get requests, insertions (duplicate check) and deactivate callback. In first two cases expired elements must be skipped. For ->deactivate(), this gets called for DELSETELEM, so it seems to me that expired elements should be skipped as well, i.e. delete request should fail with -ENOENT error. Fixes: 24138933b97b ("netfilter: nf_tables: don't skip expired elements during walk") Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit 7845914f45f066497ac75b30c50dbc735e84e884) Signed-off-by: Greg Rose <[email protected]>
… event exit path jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 6a33d8b73dfac0a41f3877894b38082bd0c9a5bc upstream-diff There's a lot of fuzz and code differences - resolved in favor of the 534 release code. Netlink event path is missing a synchronization point with GC transactions. Add GC sequence number update to netns release path and netlink event path, any GC transaction losing race will be discarded. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit 6a33d8b73dfac0a41f3877894b38082bd0c9a5bc) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 02c6c24402bf1c1e986899c14ba22a10b510916b Use maybe_get_net() since GC workqueue might race with netns exit path. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit 02c6c24402bf1c1e986899c14ba22a10b510916b) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 720344340fb9be2765bbaab7b292ece0a4570eae upstream-diff Some minor differences due to pernet goo - not important. Abort path is missing a synchronization point with GC transactions. Add GC sequence number hence any GC transaction losing race will be discarded. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry-picked from commit 720344340fb9be2765bbaab7b292ece0a4570eae) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 8357bc946a2abc2a10ca40e5a2105d2b4c57515e Use nf_tables_gc_list_lock spinlock, not nf_tables_destroy_list_lock to protect the gc list. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit 8357bc946a2abc2a10ca40e5a2105d2b4c57515e) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit 5e1be4cdc98c989d5387ce94ff15b5ad06a5b681 upstream-diff Using the 4.18.0-534 code as an example. Several instances of pipapo_resize() don't propagate allocation failures, this causes a crash when fault injection is enabled for gfp_kernel slabs. Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Stefano Brivio <[email protected]> (cherry picked from commit 5e1be4cdc98c989d5387ce94ff15b5ad06a5b681) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit 8e51830e29e12670b4c10df070a4ea4c9593e961 Don't queue more gc work, else we may queue the same elements multiple times. If an element is flagged as dead, this can mean that either the previous gc request was invalidated/discarded by a transaction or that the previous request is still pending in the system work queue. The latter will happen if the gc interval is set to a very low value, e.g. 1ms, and system work queue is backlogged. The sets refcount is 1 if no previous gc requeusts are queued, so add a helper for this and skip gc run if old requests are pending. Add a helper for this and skip the gc run in this case. Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API") Signed-off-by: Florian Westphal <[email protected]> Reviewed-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 8e51830e29e12670b4c10df070a4ea4c9593e961) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit e3c361b8acd636f5fe80c02849ca175201edf10c upstream-diff - Some cruft in nft_rule_lookup_byid() - resolved by using branch 4.18.0-534 as the source of truth. nft_trans_FOO objects all share a common nft_trans base structure, but trailing fields depend on the real object size. Access is only safe after trans->msg_type check. Check for rule type first. Found by code inspection. Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute") Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit e3c361b8acd636f5fe80c02849ca175201edf10c) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216 Anonymous sets need to be populated once at creation and then they are bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound anonymous set before commit phase"), otherwise transaction reports EINVAL. Userspace does not need to delete elements of anonymous sets that are not yet bound, reject this with EOPNOTSUPP. From flush command path, skip anonymous sets, they are expected to be bound already. Otherwise, EINVAL is hit at the end of this transaction for unbound sets. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 0ce7cf4127f14078ca598ba9700d813178a59409 Do not update table flags from the preparation phase. Store the flags update into the transaction, then update the flags from the commit phase. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 0ce7cf4127f14078ca598ba9700d813178a59409) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 179d9ba5559a756f4322583388b3213fe4e391b0 upstream-diff Again some cruft around an upstream commit that Red Hat did not take - using 4.18.0-534 as the source of truth for the commit. The dormant flag need to be updated from the preparation phase, otherwise, two consecutive requests to dorm a table in the same batch might try to remove the same hooks twice, resulting in the following warning: hook not found, pf 3 num 0 WARNING: CPU: 0 PID: 334 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480 Modules linked in: CPU: 0 PID: 334 Comm: kworker/u4:5 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:__nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480 This patch is a partial revert of 0ce7cf4127f1 ("netfilter: nftables: update table flags from the commit phase") to restore the previous behaviour. However, there is still another problem: A batch containing a series of dorm-wakeup-dorm table and vice-versa also trigger the warning above since hook unregistration happens from the preparation phase, while hook registration occurs from the commit phase. To fix this problem, this patch adds two internal flags to annotate the original dormant flag status which are __NFT_TABLE_F_WAS_DORMANT and __NFT_TABLE_F_WAS_AWAKEN, to restore it from the abort path. The __NFT_TABLE_F_UPDATE bitmask allows to handle the dormant flag update with one single transaction. Reported-by: [email protected] Fixes: 0ce7cf4127f1 ("netfilter: nftables: update table flags from the commit phase") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 179d9ba5559a756f4322583388b3213fe4e391b0) Signed-off-by: Greg Rose <[email protected]>
…once jira VULN-597 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Florian Westphal <[email protected]> commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 upstream-diff Onced again cherry-pick pulls in unrelated cruft, the patch itself is fine - as per usual the source of truth is 4.18.0-534 nft -f -<<EOF add table ip t add table ip t { flags dormant; } add chain ip t c { type filter hook input priority 0; } add table ip t EOF Triggers a splat from nf core on next table delete because we lose track of right hook register state: WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook RIP: 0010:__nf_unregister_net_hook+0x41b/0x570 nf_unregister_net_hook+0xb4/0xf0 __nf_tables_unregister_hook+0x160/0x1d0 [..] The above should have table in *active* state, but in fact no hooks were registered. Reject on/off/on games rather than attempting to fix this. Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Reported-by: "Lee, Cherie-Anne" <[email protected]> Cc: Bing-Jhong Billy Jheng <[email protected]> Cc: [email protected] Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1) Signed-off-by: Greg Rose <[email protected]>
jira VULN-597 cve CVE-2023-52581 commit-author Florian Westphal <[email protected]> commit cf5000a7787cbc10341091d37245a42c119d26c5 upstream-diff some cruft around GPL symbol exports When more than 255 elements expired we're supposed to switch to a new gc container structure. This never happens: u8 type will wrap before reaching the boundary and nft_trans_gc_space() always returns true. This means we recycle the initial gc container structure and lose track of the elements that came before. While at it, don't deref 'gc' after we've passed it to call_rcu. Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Reported-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: Florian Westphal <[email protected]> (cherry picked from commit cf5000a7787cbc10341091d37245a42c119d26c5) Signed-off-by: Greg Rose <[email protected]>
…ith timeout jira VULN-835 cve CVE-2024-26643 commit-author Pablo Neira Ayuso <[email protected]> commit 552705a3650bbf46a22b1adedc1b04181490fc36 While the rhashtable set gc runs asynchronously, a race allows it to collect elements from anonymous sets with timeouts while it is being released from the commit path. Mingi Cho originally reported this issue in a different path in 6.1.x with a pipapo set with low timeouts which is not possible upstream since 7395dfacfff6 ("netfilter: nf_tables: use timestamp to check for set element timeout"). Fix this by setting on the dead flag for anonymous sets to skip async gc in this case. According to 08e4c8c5919f ("netfilter: nf_tables: mark newset as dead on transaction abort"), Florian plans to accelerate abort path by releasing objects via workqueue, therefore, this sets on the dead flag for abort path too. Cc: [email protected] Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Reported-by: Mingi Cho <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 552705a3650bbf46a22b1adedc1b04181490fc36) Signed-off-by: Greg Rose <[email protected]>
jira VULN-835 subsystem-sync netfilter:nf_tables 4.18.0-534 commit-author Pablo Neira Ayuso <[email protected]> commit 6509a2e410c3cb36c78a0a85c6102debe171337e upstream-diff - A conflict in nft_pipapo_flush resolved by favoring the 4.18.0-0-534 tagged code. .flush is always successful since this results from iterating over the set elements to toggle mark the element as inactive in the next generation. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 6509a2e410c3cb36c78a0a85c6102debe171337e) Signed-off-by: Greg Rose <[email protected]> Conflicts: net/netfilter/nft_set_pipapo.c
jira VULN-683 cve CVE-2023-6622 commit-author Pablo Neira Ayuso <[email protected]> commit 3701cd390fd731ee7ae8b8006246c8db82c72bea If dynset expressions provided by userspace is larger than the declared set expressions, then bail out. Fixes: 48b0ae046ee9 ("netfilter: nftables: netlink support for several set element expressions") Reported-by: Xingyuan Mo <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 3701cd390fd731ee7ae8b8006246c8db82c72bea) Signed-off-by: Greg Rose <[email protected]>
jira VULN-827 cve CVE-2024-26642 commit-author Pablo Neira Ayuso <[email protected]> commit 16603605b667b70da974bea8216c93e7db043bf1 Anonymous sets are never used with timeout from userspace, reject this. Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work. Cc: [email protected] Fixes: 761da2935d6e ("netfilter: nf_tables: add set timeout API support") Reported-by: lonial con <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 16603605b667b70da974bea8216c93e7db043bf1) Signed-off-by: Greg Rose <[email protected]>
jira VULN-7047 cve CVE-2024-27397 commit-author Pablo Neira Ayuso <[email protected]> commit 7395dfacfff65e9938ac0889dafa1ab01e987d15 upstream-diff Significant code drift, fuzz, conflicts and every other dumb thing cherry-pick can do while pulling something new into something ancient. Tried to stay true to the resf_kernel-4.18.0-553.8.1.el8_10 tagged code. Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Fixes: c3e1b005ed1c ("netfilter: nf_tables: add set element timeout support") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 7395dfacfff65e9938ac0889dafa1ab01e987d15) Signed-off-by: Greg Rose <[email protected]> Conflicts: include/net/netfilter/nf_tables.h net/netfilter/nf_tables_api.c net/netfilter/nft_set_pipapo.c net/netfilter/nft_set_rbtree.c
…ent path jira VULN-5238 cve CVE-2024-36005 commit-author Pablo Neira Ayuso <[email protected]> commit 8e30abc9ace4f0add4cd761dfdbfaebae5632dd2 Check for table dormant flag otherwise netdev release event path tries to unregister an already unregistered hook. [524854.857999] ------------[ cut here ]------------ [524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260 [...] [524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365 [524854.858869] Workqueue: netns cleanup_net [524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260 [524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41 [524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246 [524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a [524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438 [524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34 [524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005 [524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00 [524854.858971] FS: 0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000 [524854.858982] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0 [524854.859000] Call Trace: [524854.859006] <TASK> [524854.859013] ? __warn+0x9f/0x1a0 [524854.859027] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859044] ? report_bug+0x1b1/0x1e0 [524854.859060] ? handle_bug+0x3c/0x70 [524854.859071] ? exc_invalid_op+0x17/0x40 [524854.859083] ? asm_exc_invalid_op+0x1a/0x20 [524854.859100] ? __nf_unregister_net_hook+0x6a/0x260 [524854.859116] ? __nf_unregister_net_hook+0x21a/0x260 [524854.859135] nf_tables_netdev_event+0x337/0x390 [nf_tables] [524854.859304] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859461] ? packet_notifier+0xb3/0x360 [524854.859476] ? _raw_spin_unlock_irqrestore+0x11/0x40 [524854.859489] ? dcbnl_netdevice_event+0x35/0x140 [524854.859507] ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables] [524854.859661] notifier_call_chain+0x7d/0x140 [524854.859677] unregister_netdevice_many_notify+0x5e1/0xae0 Fixes: d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 8e30abc9ace4f0add4cd761dfdbfaebae5632dd2) Signed-off-by: Greg Rose <[email protected]>
jira VULN-4969 subsystem-sync netfilter:nf_tables 4.18.0-553.16.1 commit-author Pablo Neira Ayuso <[email protected]> commit a45e6889575c2067d3c0212b6bc1022891e65b91 Unlike early commit path stage which triggers a call to abort, an explicit release of the batch is required on abort, otherwise mutex is released and commit_list remains in place. Add WARN_ON_ONCE to ensure commit_list is empty from the abort path before releasing the mutex. After this patch, commit_list is always assumed to be empty before grabbing the mutex, therefore 03c1f1ef1584 ("netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()") only needs to release the pending modules for registration. Cc: [email protected] Fixes: c0391b6ab810 ("netfilter: nf_tables: missing validation from the abort path") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit a45e6889575c2067d3c0212b6bc1022891e65b91) Signed-off-by: Greg Rose <[email protected]>
jira VULN-4905 cve CVE-2024-26925 commit-author Pablo Neira Ayuso <[email protected]> commit 0d459e2ffb541841714839e8228b845458ed3b27 The commit mutex should not be released during the critical section between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC worker could collect expired objects and get the released commit lock within the same GC sequence. nf_tables_module_autoload() temporarily releases the mutex to load module dependencies, then it goes back to replay the transaction again. Move it at the end of the abort phase after nft_gc_seq_end() is called. Cc: [email protected] Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path") Reported-by: Kuan-Ting Chen <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 0d459e2ffb541841714839e8228b845458ed3b27) Signed-off-by: Greg Rose <[email protected]>
jira VULN-4969 subsystem-sync netfilter:nf_tables 4.18.0-553.16.1 commit-author Pablo Neira Ayuso <[email protected]> commit 9cff126f73a7025bcb0883189b2bed90010a57d4 In case that there are two types, prefer the family specify extension. Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 9cff126f73a7025bcb0883189b2bed90010a57d4) Signed-off-by: Greg Rose <[email protected]>
jira VULN-4969 cve CVE-2024-27020 commit-author Ziyang Xuan <[email protected]> commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf nft_unregister_expr() can concurrent with __nft_expr_type_get(), and there is not any protection when iterate over nf_tables_expressions list in __nft_expr_type_get(). Therefore, there is potential data-race of nf_tables_expressions list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_expressions list in __nft_expr_type_get(), and use rcu_read_lock() in the caller nft_expr_type_get() to protect the entire type query process. Fixes: ef1f7df9170d ("netfilter: nf_tables: expression ops overloading") Signed-off-by: Ziyang Xuan <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit f969eb84ce482331a991079ab7a5c4dc3b7f89bf) Signed-off-by: Greg Rose <[email protected]>
jira VULN-4961 cve CVE-2024-27019 commit-author Ziyang Xuan <[email protected]> commit d78d867dcea69c328db30df665be5be7d0148484 upstream-diff The cherry-pick tried to pull in extra cruft not part of the upstream patch. I have resolved the conflicts in favor of the 4.18.0-553.16.1 tagged code. nft_unregister_obj() can concurrent with __nft_obj_type_get(), and there is not any protection when iterate over nf_tables_objects list in __nft_obj_type_get(). Therefore, there is potential data-race of nf_tables_objects list entry. Use list_for_each_entry_rcu() to iterate over nf_tables_objects list in __nft_obj_type_get(), and use rcu_read_lock() in the caller nft_obj_type_get() to protect the entire type query process. Fixes: e50092404c1b ("netfilter: nf_tables: add stateful objects") Signed-off-by: Ziyang Xuan <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit d78d867dcea69c328db30df665be5be7d0148484) Signed-off-by: Greg Rose <[email protected]> Conflicts: net/netfilter/nf_tables_api.c
jira VULN-4985 cve CVE-2024-27065 commit-author Pablo Neira Ayuso <[email protected]> commit 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139 Restore skipping transaction if table update does not modify flags. Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 4a0e7f2decbf9bd72461226f1f5f7dcc4b08f139) Signed-off-by: Greg Rose <[email protected]>
jira VULN-5126 cve CVE-2024-35899 commit-author Pablo Neira Ayuso <[email protected]> commit 24cea9677025e0de419989ecb692acd4bb34cac2 Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier") to address a race between exit_net and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ #359 [ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dump_stack_lvl+0x53/0x70 [ 1360.548014] print_report+0xc4/0x610 [ 1360.548026] ? __virt_addr_valid+0xba/0x160 [ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548176] kasan_report+0xae/0xe0 [ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables] [ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30 [ 1360.548591] process_one_work+0x2f1/0x670 [ 1360.548610] worker_thread+0x4d3/0x760 [ 1360.548627] ? __pfx_worker_thread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? __pfx_kthread+0x10/0x10 [ 1360.548665] ret_from_fork+0x2f/0x50 [ 1360.548679] ? __pfx_kthread+0x10/0x10 [ 1360.548690] ret_from_fork_asm+0x1a/0x30 [ 1360.548707] </TASK> [ 1360.548719] Allocated by task 192061: [ 1360.548726] kasan_save_stack+0x20/0x40 [ 1360.548739] kasan_save_track+0x14/0x30 [ 1360.548750] __kasan_kmalloc+0x8f/0xa0 [ 1360.548760] __kmalloc_node+0x1f1/0x450 [ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables] [ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlink_unicast+0x367/0x4f0 [ 1360.548935] netlink_sendmsg+0x34b/0x610 [ 1360.548944] ____sys_sendmsg+0x4d4/0x510 [ 1360.548953] ___sys_sendmsg+0xc9/0x120 [ 1360.548961] __sys_sendmsg+0xbe/0x140 [ 1360.548971] do_syscall_64+0x55/0x120 [ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 1360.548994] Freed by task 192222: [ 1360.548999] kasan_save_stack+0x20/0x40 [ 1360.549009] kasan_save_track+0x14/0x30 [ 1360.549019] kasan_save_free_info+0x3b/0x60 [ 1360.549028] poison_slab_object+0x100/0x180 [ 1360.549036] __kasan_slab_free+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables] [ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables] [ 1360.549221] ops_exit_list+0x50/0xa0 [ 1360.549229] free_exit_list+0x101/0x140 [ 1360.549236] unregister_pernet_operations+0x107/0x160 [ 1360.549245] unregister_pernet_subsys+0x1c/0x30 [ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables] [ 1360.549345] __do_sys_delete_module+0x253/0x370 [ 1360.549352] do_syscall_64+0x55/0x120 [ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d (gdb) list *__nft_release_table+0x473 0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354). 11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11350 list_del(&flowtable->list); 11351 nft_use_dec(&table->use); 11352 nf_tables_flowtable_destroy(flowtable); 11353 } 11354 list_for_each_entry_safe(set, ns, &table->sets, list) { 11355 list_del(&set->list); 11356 nft_use_dec(&table->use); 11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11358 nft_map_deactivate(&ctx, set); (gdb) [ 1360.549372] Last potentially related work creation: [ 1360.549376] kasan_save_stack+0x20/0x40 [ 1360.549384] __kasan_record_aux_stack+0x9b/0xb0 [ 1360.549392] __queue_work+0x3fb/0x780 [ 1360.549399] queue_work_on+0x4f/0x60 [ 1360.549407] nft_rhash_remove+0x33b/0x340 [nf_tables] [ 1360.549516] nf_tables_commit+0x1c6a/0x2620 [nf_tables] [ 1360.549625] nfnetlink_rcv_batch+0x728/0xdc0 [nfnetlink] [ 1360.549647] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.549671] netlink_unicast+0x367/0x4f0 [ 1360.549680] netlink_sendmsg+0x34b/0x610 [ 1360.549690] ____sys_sendmsg+0x4d4/0x510 [ 1360.549697] ___sys_sendmsg+0xc9/0x120 [ 1360.549706] __sys_sendmsg+0xbe/0x140 [ 1360.549715] do_syscall_64+0x55/0x120 [ 1360.549725] entry_SYSCALL_64_after_hwframe+0x55/0x5d Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 24cea9677025e0de419989ecb692acd4bb34cac2) Signed-off-by: Greg Rose <[email protected]>
jira VULN-5134 cve CVE-2024-35900 commit-author Pablo Neira Ayuso <[email protected]> commit 994209ddf4f430946f6247616b2e33d179243769 upstream-diff Fixed up a couple of small conflicts introduced by cherry picking from a very new source back into an ancient source. When dormant flag is toggled, hooks are disabled in the commit phase by iterating over current chains in table (existing and new). The following configuration allows for an inconsistent state: add table x add chain x y { type filter hook input priority 0; } add table x { flags dormant; } add chain x w { type filter hook input priority 1; } which triggers the following warning when trying to unregister chain w which is already unregistered. [ 127.322252] WARNING: CPU: 7 PID: 1211 at net/netfilter/core.c:50 1 __nf_unregister_net_hook+0x21a/0x260 [...] [ 127.322519] Call Trace: [ 127.322521] <TASK> [ 127.322524] ? __warn+0x9f/0x1a0 [ 127.322531] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322537] ? report_bug+0x1b1/0x1e0 [ 127.322545] ? handle_bug+0x3c/0x70 [ 127.322552] ? exc_invalid_op+0x17/0x40 [ 127.322556] ? asm_exc_invalid_op+0x1a/0x20 [ 127.322563] ? kasan_save_free_info+0x3b/0x60 [ 127.322570] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322577] ? __nf_unregister_net_hook+0x21a/0x260 [ 127.322583] ? __nf_unregister_net_hook+0x6a/0x260 [ 127.322590] ? __nf_tables_unregister_hook+0x8a/0xe0 [nf_tables] [ 127.322655] nft_table_disable+0x75/0xf0 [nf_tables] [ 127.322717] nf_tables_commit+0x2571/0x2620 [nf_tables] Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 994209ddf4f430946f6247616b2e33d179243769) Signed-off-by: Greg Rose <[email protected]> Conflicts: net/netfilter/nf_tables_api.c
jira VULN-5118 subsystem-sync netfilter:nf_tables 4.18.0-553.16.1 commit-author Pablo Neira Ayuso <[email protected]> commit 1e1fb6f00f52812277963365d9bd835b9b0ea4e0 upstream-diff The upstream diff brings in cruft we don't want, and will be superseded by the next commit but is here to maintain history. netdev basechain updates are stored in the transaction object hook list. When setting on the table dormant flag, it iterates over the existing hooks in the basechain. Thus, skipping the hooks that are being added/deleted in this transaction, which leaves hook registration in inconsistent state. Reject table flag updates in combination with netdev basechain updates in the same batch: - Update table flags and add/delete basechain: Check from basechain update path if there are pending flag updates for this table. - add/delete basechain and update table flags: Iterate over the transaction list to search for basechain updates from the table update path. In both cases, the batch is rejected. Based on suggestion from Florian Westphal. Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Fixes: 7d937b107108f ("netfilter: nf_tables: support for deleting devices in an existing netdev chain") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 1e1fb6f00f52812277963365d9bd835b9b0ea4e0) Signed-off-by: Greg Rose <[email protected]> Conflicts: net/netfilter/nf_tables_api.c
…n deletion jira VULN-5118 cve CVE-2024-35897 commit-author Pablo Neira Ayuso <[email protected]> commit 1bc83a019bbe268be3526406245ec28c2458a518 Hook unregistration is deferred to the commit phase, same occurs with hook updates triggered by the table dormant flag. When both commands are combined, this results in deleting a basechain while leaving its hook still registered in the core. Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso <[email protected]> (cherry picked from commit 1bc83a019bbe268be3526406245ec28c2458a518) Signed-off-by: Greg Rose <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a sync from https://github.com/ctrliq/kernel-src-tree/releases/tag/fips-legacy-8-compliant_4.18.0-425.13.1.el8.ciqfipscompliant.36.1
ctrliq/kernel-src-tree#8
ctrliq/kernel-src-tree#7
ctrliq/kernel-src-tree#6
ctrliq/kernel-src-tree#2
The only missing commit is related to
.githubactionswhich is non impacting to the source code. We need to make sure extra large runners are enabled and likely turn off theaarch64actions for the FIPS branches.I will merge locally
ff mergeand push this once approved.