[PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported
@ 2020-04-13 19:48 Stefano Brivio
  2020-04-13 19:48 ` [PATCH nft 1/2] include: Resync nf_tables.h cache copy Stefano Brivio
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Stefano Brivio @ 2020-04-13 19:48 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

This series fixes the nft crash recently reported by Pablo with older
(< 5.6) kernels: use the NFT_SET_CONCAT flag whenever we send a set
including concatenated ranges, so that kernels not supporting them
will not add them altogether, and we won't crash while trying to list
the malformed sets that are added as a result.

Stefano Brivio (2):
  include: Resync nf_tables.h cache copy
  src: Set NFT_SET_CONCAT flag for sets with concatenated ranges

 include/linux/netfilter/nf_tables.h | 2 ++
 src/evaluate.c                      | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH nft 1/2] include: Resync nf_tables.h cache copy
  2020-04-13 19:48 [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Stefano Brivio
@ 2020-04-13 19:48 ` Stefano Brivio
  2020-04-13 19:48 ` [PATCH nft 2/2] src: Set NFT_SET_CONCAT flag for sets with concatenated ranges Stefano Brivio
  2020-04-14 21:16 ` [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Stefano Brivio @ 2020-04-13 19:48 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Get this header in sync with nf.git as of commit ef516e8625dd.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 include/linux/netfilter/nf_tables.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 30f2a87270dc..4565456c0ef4 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -276,6 +276,7 @@ enum nft_rule_compat_attributes {
  * @NFT_SET_TIMEOUT: set uses timeouts
  * @NFT_SET_EVAL: set can be updated from the evaluation path
  * @NFT_SET_OBJECT: set contains stateful objects
+ * @NFT_SET_CONCAT: set contains a concatenation
  */
 enum nft_set_flags {
 	NFT_SET_ANONYMOUS		= 0x1,
@@ -285,6 +286,7 @@ enum nft_set_flags {
 	NFT_SET_TIMEOUT			= 0x10,
 	NFT_SET_EVAL			= 0x20,
 	NFT_SET_OBJECT			= 0x40,
+	NFT_SET_CONCAT			= 0x80,
 };
 
 /**
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH nft 2/2] src: Set NFT_SET_CONCAT flag for sets with concatenated ranges
  2020-04-13 19:48 [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Stefano Brivio
  2020-04-13 19:48 ` [PATCH nft 1/2] include: Resync nf_tables.h cache copy Stefano Brivio
@ 2020-04-13 19:48 ` Stefano Brivio
  2020-04-14 21:16 ` [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Stefano Brivio @ 2020-04-13 19:48 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel

Pablo reports that nft, after commit 8ac2f3b2fca3 ("src: Add support
for concatenated set ranges"), crashes with older kernels (< 5.6)
without support for concatenated set ranges: those sets will be sent
to the kernel, which adds them without notion of the fact that
different concatenated fields are actually included, and nft crashes
while trying to list this kind of malformed concatenation.

Use the NFT_SET_CONCAT flag introduced by kernel commit ef516e8625dd
("netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag") when
sets including concatenated ranges are sent to the kernel, so that
older kernels (with no knowledge of this flag itself) will refuse set
creation.

Note that, in expr_evaluate_set(), we have to check for the presence
of the flag, also on empty sets that might carry it in context data,
and actually set it in the actual set flags.

Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 src/evaluate.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/evaluate.c b/src/evaluate.c
index fcc79386b325..91901921155f 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1382,10 +1382,16 @@ static int expr_evaluate_set(struct eval_ctx *ctx, struct expr **expr)
 			set->size      += i->size - 1;
 			set->set_flags |= i->set_flags;
 			expr_free(i);
-		} else if (!expr_is_singleton(i))
+		} else if (!expr_is_singleton(i)) {
 			set->set_flags |= NFT_SET_INTERVAL;
+			if (i->key->etype == EXPR_CONCAT)
+				set->set_flags |= NFT_SET_CONCAT;
+		}
 	}

+	if (ctx->set && ctx->set->flags & (NFT_SET_CONCAT))
+		set->set_flags |= NFT_SET_CONCAT;
+
 	set->set_flags |= NFT_SET_CONSTANT;

 	datatype_set(set, ctx->ectx.dtype);
@@ -3463,6 +3469,7 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set)
 		memcpy(&set->desc.field_len, &set->key->field_len,
 		       sizeof(set->desc.field_len));
 		set->desc.field_count = set->key->field_count;
+		set->flags |= NFT_SET_CONCAT;
 	}

 	if (set_is_datamap(set->flags)) {
-- 
2.25.1

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported
  2020-04-13 19:48 [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Stefano Brivio
  2020-04-13 19:48 ` [PATCH nft 1/2] include: Resync nf_tables.h cache copy Stefano Brivio
  2020-04-13 19:48 ` [PATCH nft 2/2] src: Set NFT_SET_CONCAT flag for sets with concatenated ranges Stefano Brivio
@ 2020-04-14 21:16 ` Pablo Neira Ayuso
  2 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2020-04-14 21:16 UTC (permalink / raw)
  To: Stefano Brivio; +Cc: netfilter-devel

On Mon, Apr 13, 2020 at 09:48:01PM +0200, Stefano Brivio wrote:
> This series fixes the nft crash recently reported by Pablo with older
> (< 5.6) kernels: use the NFT_SET_CONCAT flag whenever we send a set
> including concatenated ranges, so that kernels not supporting them
> will not add them altogether, and we won't crash while trying to list
> the malformed sets that are added as a result.

Applied, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2020-04-14 21:16 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-04-13 19:48 [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Stefano Brivio
2020-04-13 19:48 ` [PATCH nft 1/2] include: Resync nf_tables.h cache copy Stefano Brivio
2020-04-13 19:48 ` [PATCH nft 2/2] src: Set NFT_SET_CONCAT flag for sets with concatenated ranges Stefano Brivio
2020-04-14 21:16 ` [PATCH nft 0/2] Prevent kernel from adding concatenated ranges if they're not supported Pablo Neira Ayuso

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.