[PATCH net 0/3] Netfilter fixes for net

[PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Update .gitignore in selftest to skip conntrack_reverse_clash,
   from Li Zhijian.

2) Fix conntrack_dump_flush return values, from Guan Jing.

3) syzbot found that ipset's bitmap type does not properly checks for
   bitmap's first ip, from Jeongjun Park.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14

Thanks.

----------------------------------------------------------------

The following changes since commit 50ae879de107ca2fe2ca99180f6ba95770f32a62:

  Merge tag 'nf-24-10-31' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf (2024-10-31 12:13:08 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-11-14

for you to fetch changes up to 35f56c554eb1b56b77b3cf197a6b00922d49033d:

  netfilter: ipset: add missing range check in bitmap_ip_uadt (2024-11-14 13:47:26 +0100)

----------------------------------------------------------------
netfilter pull request 24-11-14

----------------------------------------------------------------
Jeongjun Park (1):
      netfilter: ipset: add missing range check in bitmap_ip_uadt

Li Zhijian (1):
      selftests: netfilter: Add missing gitignore file

guanjing (1):
      selftests: netfilter: Fix missing return values in conntrack_dump_flush

 net/netfilter/ipset/ip_set_bitmap_ip.c                       | 7 ++-----
 tools/testing/selftests/net/netfilter/.gitignore             | 1 +
 tools/testing/selftests/net/netfilter/conntrack_dump_flush.c | 6 ++++++
 3 files changed, 9 insertions(+), 5 deletions(-)

[PATCH net 1/3] selftests: netfilter: Add missing gitignore file

[Pablo Neira Ayuso]

From: Li Zhijian <lizhijian@fujitsu.com>

Compiled binary files should be added to .gitignore
'git status' complains:
   Untracked files:
   (use "git add <file>..." to include in what will be committed)
         net/netfilter/conntrack_reverse_clash

Signed-off-by: Li Zhijian <lizhijian@fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 tools/testing/selftests/net/netfilter/.gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tools/testing/selftests/net/netfilter/.gitignore b/tools/testing/selftests/net/netfilter/.gitignore
index 0a64d6d0e29a..64c4f8d9aa6c 100644
--- a/tools/testing/selftests/net/netfilter/.gitignore
+++ b/tools/testing/selftests/net/netfilter/.gitignore
@@ -2,5 +2,6 @@
 audit_logread
 connect_close
 conntrack_dump_flush
+conntrack_reverse_clash
 sctp_collision
 nf_queue
-- 
2.30.2

Re: [PATCH net 1/3] selftests: netfilter: Add missing gitignore file

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 14 Nov 2024 13:57:21 +0100 you wrote:
> From: Li Zhijian <lizhijian@fujitsu.com>
> 
> Compiled binary files should be added to .gitignore
> 'git status' complains:
>    Untracked files:
>    (use "git add <file>..." to include in what will be committed)
>          net/netfilter/conntrack_reverse_clash
> 
> [...]

Here is the summary with links:
  - [net,1/3] selftests: netfilter: Add missing gitignore file
    https://git.kernel.org/netdev/net/c/df6cb25f0779
  - [net,2/3] selftests: netfilter: Fix missing return values in conntrack_dump_flush
    https://git.kernel.org/netdev/net/c/041bd1e4f2d8
  - [net,3/3] netfilter: ipset: add missing range check in bitmap_ip_uadt
    https://git.kernel.org/netdev/net/c/35f56c554eb1

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 2/3] selftests: netfilter: Fix missing return values in conntrack_dump_flush

[Pablo Neira Ayuso]

From: guanjing <guanjing@cmss.chinamobile.com>

Fix the bug of some functions were missing return values.

Fixes: eff3c558bb7e ("netfilter: ctnetlink: support filtering by zone")
Signed-off-by: Guan Jing <guanjing@cmss.chinamobile.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 .../testing/selftests/net/netfilter/conntrack_dump_flush.c  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c b/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c
index 254ff03297f0..5f827e10717d 100644
--- a/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c
+++ b/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c
@@ -43,6 +43,8 @@ static int build_cta_tuple_v4(struct nlmsghdr *nlh, int type,
 	mnl_attr_nest_end(nlh, nest_proto);
 
 	mnl_attr_nest_end(nlh, nest);
+
+	return 0;
 }
 
 static int build_cta_tuple_v6(struct nlmsghdr *nlh, int type,
@@ -71,6 +73,8 @@ static int build_cta_tuple_v6(struct nlmsghdr *nlh, int type,
 	mnl_attr_nest_end(nlh, nest_proto);
 
 	mnl_attr_nest_end(nlh, nest);
+
+	return 0;
 }
 
 static int build_cta_proto(struct nlmsghdr *nlh)
@@ -90,6 +94,8 @@ static int build_cta_proto(struct nlmsghdr *nlh)
 	mnl_attr_nest_end(nlh, nest_proto);
 
 	mnl_attr_nest_end(nlh, nest);
+
+	return 0;
 }
 
 static int conntrack_data_insert(struct mnl_socket *sock, struct nlmsghdr *nlh,
-- 
2.30.2

[PATCH net 3/3] netfilter: ipset: add missing range check in bitmap_ip_uadt

[Pablo Neira Ayuso]

From: Jeongjun Park <aha310510@gmail.com>

When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.

So we should add missing range checks and remove unnecessary range checks.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index e4fa00abde6a..5988b9bb9029 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to);
 		if (ret)
 			return ret;
-		if (ip > ip_to) {
+		if (ip > ip_to)
 			swap(ip, ip_to);
-			if (ip < map->first_ip)
-				return -IPSET_ERR_BITMAP_RANGE;
-		}
 	} else if (tb[IPSET_ATTR_CIDR]) {
 		u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
 
@@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
 		ip_to = ip;
 	}
 
-	if (ip_to > map->last_ip)
+	if (ip < map->first_ip || ip_to > map->last_ip)
 		return -IPSET_ERR_BITMAP_RANGE;
 
 	for (; !before(ip_to, ip); ip += map->hosts) {
-- 
2.30.2

Re: [PATCH net 0/3] Netfilter fixes for net

[Paolo Abeni]

On 11/14/24 13:57, Pablo Neira Ayuso wrote:
> The following patchset contains Netfilter fixes for net:
> 
> 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
>    from Li Zhijian.
> 
> 2) Fix conntrack_dump_flush return values, from Guan Jing.
> 
> 3) syzbot found that ipset's bitmap type does not properly checks for
>    bitmap's first ip, from Jeongjun Park.
> 
> Please, pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14

Almost over the air collision, I just sent the net PR for -rc8. Do any
of the above fixes have a strong need to land into 6.12?

/P

Re: [PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Nov 14, 2024 at 03:54:56PM +0100, Paolo Abeni wrote:
> On 11/14/24 13:57, Pablo Neira Ayuso wrote:
> > The following patchset contains Netfilter fixes for net:
> > 
> > 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
> >    from Li Zhijian.
> > 
> > 2) Fix conntrack_dump_flush return values, from Guan Jing.
> > 
> > 3) syzbot found that ipset's bitmap type does not properly checks for
> >    bitmap's first ip, from Jeongjun Park.
> > 
> > Please, pull these changes from:
> > 
> >   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14
> 
> Almost over the air collision, I just sent the net PR for -rc8. Do any
> of the above fixes have a strong need to land into 6.12?

selftests fixes are trivial.

ipset fix would be good to have.

But if this is pushing things too much too the limit on your side,
then skip.

Re: [PATCH net 0/3] Netfilter fixes for net

[Paolo Abeni]

On 11/14/24 16:00, Pablo Neira Ayuso wrote:
> On Thu, Nov 14, 2024 at 03:54:56PM +0100, Paolo Abeni wrote:
>> On 11/14/24 13:57, Pablo Neira Ayuso wrote:
>>> The following patchset contains Netfilter fixes for net:
>>>
>>> 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
>>>    from Li Zhijian.
>>>
>>> 2) Fix conntrack_dump_flush return values, from Guan Jing.
>>>
>>> 3) syzbot found that ipset's bitmap type does not properly checks for
>>>    bitmap's first ip, from Jeongjun Park.
>>>
>>> Please, pull these changes from:
>>>
>>>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14
>>
>> Almost over the air collision, I just sent the net PR for -rc8. Do any
>> of the above fixes have a strong need to land into 6.12?
> 
> selftests fixes are trivial.
> 
> ipset fix would be good to have.
> 
> But if this is pushing things too much too the limit on your side,
> then skip.

I would need to take back the already shared net PR. I prefer to avoid
such a thing to avoid confusion with the process, especially for non
critical stuff.

It looks like the ipset fix addresses a quite ancient issue, I
guess/hope it's not extremely critical.

/P

Re: [PATCH net 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

On Thu, Nov 14, 2024 at 04:31:48PM +0100, Paolo Abeni wrote:
> On 11/14/24 16:00, Pablo Neira Ayuso wrote:
> > On Thu, Nov 14, 2024 at 03:54:56PM +0100, Paolo Abeni wrote:
> >> On 11/14/24 13:57, Pablo Neira Ayuso wrote:
> >>> The following patchset contains Netfilter fixes for net:
> >>>
> >>> 1) Update .gitignore in selftest to skip conntrack_reverse_clash,
> >>>    from Li Zhijian.
> >>>
> >>> 2) Fix conntrack_dump_flush return values, from Guan Jing.
> >>>
> >>> 3) syzbot found that ipset's bitmap type does not properly checks for
> >>>    bitmap's first ip, from Jeongjun Park.
> >>>
> >>> Please, pull these changes from:
> >>>
> >>>   git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-11-14
> >>
> >> Almost over the air collision, I just sent the net PR for -rc8. Do any
> >> of the above fixes have a strong need to land into 6.12?
> > 
> > selftests fixes are trivial.
> > 
> > ipset fix would be good to have.
> > 
> > But if this is pushing things too much too the limit on your side,
> > then skip.
> 
> I would need to take back the already shared net PR. I prefer to avoid
> such a thing to avoid confusion with the process, especially for non
> critical stuff.

We can wait, thanks.

> It looks like the ipset fix addresses a quite ancient issue, I
> guess/hope it's not extremely critical.