[PATCH nf v2] netfilter: nf_tables: fix destination register zeroing

[PATCH nf v2] netfilter: nf_tables: fix destination register zeroing

[Florian Westphal]

Following bug was reported via irc:
nft list ruleset
   set knock_candidates_ipv4 {
      type ipv4_addr . inet_service
      size 65535
      elements = { 127.0.0.1 . 123,
                   127.0.0.1 . 123 }
      }
 ..
   udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
   udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }

It should not have been possible to add a duplicate set entry.

After some debugging it turned out that the problem is the immediate
value (123) in the second-to-last rule.

Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
not 6 and it turns out the kernel inserted

inet firewall @knock_candidates_ipv4
        element 0100007f ffff7b00  : 0 [end]
        element 0100007f 00007b00  : 0 [end]

Note the non-zero upper bits of the first element.  It turns out that
nft_immediate doesn't zero the destination register, but this is needed
when the length isn't a multiple of 4.

Furthermore, the zeroing in nft_payload is broken.  We can't use
[len / 4] = 0 -- if len is a multiple of 4, index is off by one.

Skip zeroing in this case and use a conditional instead of (len -1) / 4.

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 v2: revisit commit message.  No other changes.

 include/net/netfilter/nf_tables.h | 2 ++
 net/netfilter/nft_payload.c       | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index bf9491b77d16..224d194ad29d 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(const u32 *sreg)
 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 				 unsigned int len)
 {
+	if (len % NFT_REG32_SIZE)
+		dst[len / NFT_REG32_SIZE] = 0;
 	memcpy(dst, src, len);
 }
 
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index ed7cb9f747f6..7a2e59638499 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -87,7 +87,9 @@ void nft_payload_eval(const struct nft_expr *expr,
 	u32 *dest = &regs->data[priv->dreg];
 	int offset;
 
-	dest[priv->len / NFT_REG32_SIZE] = 0;
+	if (priv->len % NFT_REG32_SIZE)
+		dest[priv->len / NFT_REG32_SIZE] = 0;
+
 	switch (priv->base) {
 	case NFT_PAYLOAD_LL_HEADER:
 		if (!skb_mac_header_was_set(skb))
-- 
2.26.2

Re: [PATCH nf v2] netfilter: nf_tables: fix destination register zeroing

[Pablo Neira Ayuso]

On Thu, Aug 20, 2020 at 09:05:50PM +0200, Florian Westphal wrote:
> Following bug was reported via irc:
> nft list ruleset
>    set knock_candidates_ipv4 {
>       type ipv4_addr . inet_service
>       size 65535
>       elements = { 127.0.0.1 . 123,
>                    127.0.0.1 . 123 }
>       }
>  ..
>    udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
>    udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
> 
> It should not have been possible to add a duplicate set entry.
> 
> After some debugging it turned out that the problem is the immediate
> value (123) in the second-to-last rule.
> 
> Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
> not 6 and it turns out the kernel inserted
> 
> inet firewall @knock_candidates_ipv4
>         element 0100007f ffff7b00  : 0 [end]
>         element 0100007f 00007b00  : 0 [end]
> 
> Note the non-zero upper bits of the first element.  It turns out that
> nft_immediate doesn't zero the destination register, but this is needed
> when the length isn't a multiple of 4.
> 
> Furthermore, the zeroing in nft_payload is broken.  We can't use
> [len / 4] = 0 -- if len is a multiple of 4, index is off by one.
> 
> Skip zeroing in this case and use a conditional instead of (len -1) / 4.

Applied, thanks.