[PATCH net 0/2] Netfilter fixes for net

[PATCH net 0/2] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains two Netfilter fixes for net:

Patch #1 fixes CONFIG_SYSCTL=n for a patch coming in the previous PR
	 to move the sysctl toggle to enable SRv6 netfilter hooks from
	 nf_conntrack to the core, from Jianguo Wu.

Patch #2 fixes a possible pointer leak to userspace due to insufficient
	 validation of NFT_DATA_VALUE.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-06-27

Thanks.

----------------------------------------------------------------

The following changes since commit 058722ee350c0bdd664e467156feb2bf5d9cc271:

  net: usb: ax88179_178a: improve link status logs (2024-06-24 10:15:09 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-06-27

for you to fetch changes up to 7931d32955e09d0a11b1fe0b6aac1bfa061c005c:

  netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers (2024-06-27 01:09:51 +0200)

----------------------------------------------------------------
netfilter pull request 24-06-27

----------------------------------------------------------------
Jianguo Wu (1):
      netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when CONFIG_SYSCTL=n

Pablo Neira Ayuso (1):
      netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

 include/net/netfilter/nf_tables.h | 5 +++++
 net/netfilter/nf_hooks_lwtunnel.c | 3 +++
 net/netfilter/nf_tables_api.c     | 8 ++++----
 net/netfilter/nft_lookup.c        | 3 ++-
 4 files changed, 14 insertions(+), 5 deletions(-)

[PATCH net 1/2] netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when CONFIG_SYSCTL=n

[Pablo Neira Ayuso]

From: Jianguo Wu <wujianguo@chinatelecom.cn>

if CONFIG_SYSFS is not enabled in config, we get the below compile error,

All errors (new ones prefixed by >>):

   csky-linux-ld: net/netfilter/core.o: in function `netfilter_init':
   core.c:(.init.text+0x42): undefined reference to `netfilter_lwtunnel_init'
>> csky-linux-ld: core.c:(.init.text+0x56): undefined reference to `netfilter_lwtunnel_fini'
>> csky-linux-ld: core.c:(.init.text+0x70): undefined reference to `netfilter_lwtunnel_init'
   csky-linux-ld: core.c:(.init.text+0x78): undefined reference to `netfilter_lwtunnel_fini'

Fixes: a2225e0250c5 ("netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core")
Reported-by: Mirsad Todorovac <mtodorovac69@gmail.com>
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202406210511.8vbByYj3-lkp@intel.com/
Closes: https://lore.kernel.org/oe-kbuild-all/202406210520.6HmrUaA2-lkp@intel.com/
Signed-off-by: Jianguo Wu <wujianguo@chinatelecom.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_hooks_lwtunnel.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nf_hooks_lwtunnel.c b/net/netfilter/nf_hooks_lwtunnel.c
index 7cdb59bb4459..d8ebebc9775d 100644
--- a/net/netfilter/nf_hooks_lwtunnel.c
+++ b/net/netfilter/nf_hooks_lwtunnel.c
@@ -117,4 +117,7 @@ void netfilter_lwtunnel_fini(void)
 {
 	unregister_pernet_subsys(&nf_lwtunnel_net_ops);
 }
+#else
+int __init netfilter_lwtunnel_init(void) { return 0; }
+void netfilter_lwtunnel_fini(void) {}
 #endif /* CONFIG_SYSCTL */
-- 
2.30.2

Re: [PATCH net 1/2] netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when CONFIG_SYSCTL=n

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 27 Jun 2024 01:38:44 +0200 you wrote:
> From: Jianguo Wu <wujianguo@chinatelecom.cn>
> 
> if CONFIG_SYSFS is not enabled in config, we get the below compile error,
> 
> All errors (new ones prefixed by >>):
> 
>    csky-linux-ld: net/netfilter/core.o: in function `netfilter_init':
>    core.c:(.init.text+0x42): undefined reference to `netfilter_lwtunnel_init'
> >> csky-linux-ld: core.c:(.init.text+0x56): undefined reference to `netfilter_lwtunnel_fini'
> >> csky-linux-ld: core.c:(.init.text+0x70): undefined reference to `netfilter_lwtunnel_init'
>    csky-linux-ld: core.c:(.init.text+0x78): undefined reference to `netfilter_lwtunnel_fini'
> 
> [...]

Here is the summary with links:
  - [net,1/2] netfilter: fix undefined reference to 'netfilter_lwtunnel_*' when CONFIG_SYSCTL=n
    https://git.kernel.org/netdev/net/c/aef5daa2c49d
  - [net,2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers
    https://git.kernel.org/netdev/net/c/7931d32955e0

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Pablo Neira Ayuso]

register store validation for NFT_DATA_VALUE is conditional, however,
the datatype is always either NFT_DATA_VALUE or NFT_DATA_VERDICT. This
only requires a new helper function to infer the register type from the
set datatype so this conditional check can be removed. Otherwise,
pointer to chain object can be leaked through the registers.

Fixes: 96518518cc41 ("netfilter: add nftables")
Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables.h | 5 +++++
 net/netfilter/nf_tables_api.c     | 8 ++++----
 net/netfilter/nft_lookup.c        | 3 ++-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 2796153b03da..188d41da1a40 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -619,6 +619,11 @@ static inline void *nft_set_priv(const struct nft_set *set)
 	return (void *)set->data;
 }
 
+static inline enum nft_data_types nft_set_datatype(const struct nft_set *set)
+{
+	return set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE;
+}
+
 static inline bool nft_set_gc_is_pending(const struct nft_set *s)
 {
 	return refcount_read(&s->refs) != 1;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index be3b4c90d2ed..e8dcf41d360d 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5740,8 +5740,7 @@ static int nf_tables_fill_setelem(struct sk_buff *skb,
 
 	if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA) &&
 	    nft_data_dump(skb, NFTA_SET_ELEM_DATA, nft_set_ext_data(ext),
-			  set->dtype == NFT_DATA_VERDICT ? NFT_DATA_VERDICT : NFT_DATA_VALUE,
-			  set->dlen) < 0)
+			  nft_set_datatype(set), set->dlen) < 0)
 		goto nla_put_failure;
 
 	if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPRESSIONS) &&
@@ -11073,6 +11072,9 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
 
 		return 0;
 	default:
+		if (type != NFT_DATA_VALUE)
+			return -EINVAL;
+
 		if (reg < NFT_REG_1 * NFT_REG_SIZE / NFT_REG32_SIZE)
 			return -EINVAL;
 		if (len == 0)
@@ -11081,8 +11083,6 @@ static int nft_validate_register_store(const struct nft_ctx *ctx,
 		    sizeof_field(struct nft_regs, data))
 			return -ERANGE;
 
-		if (data != NULL && type != NFT_DATA_VALUE)
-			return -EINVAL;
 		return 0;
 	}
 }
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index b314ca728a29..f3080fa1b226 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -132,7 +132,8 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
 			return -EINVAL;
 
 		err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG],
-					       &priv->dreg, NULL, set->dtype,
+					       &priv->dreg, NULL,
+					       nft_set_datatype(set),
 					       set->dlen);
 		if (err < 0)
 			return err;
-- 
2.30.2

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Linus Torvalds]

On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
>
> Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>

Oh, I was only the messenger boy, not the actual reporter.

I think reporting credit should probably go to HexRabbit Chen
<hexrabbit@devco.re>

           Linus

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Pablo Neira Ayuso]

On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> >
> > Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
> 
> Oh, I was only the messenger boy, not the actual reporter.
> 
> I think reporting credit should probably go to HexRabbit Chen
> <hexrabbit@devco.re>

I would not have really know if you don't tell me TBH, else it would
have taken even longer for me to react and fix it. Because they did
not really contact me to report this issue this time.

But if you insist, I will do so.

Thanks.

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Paolo Abeni]

Hi,
On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > 
> > > Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
> > 
> > Oh, I was only the messenger boy, not the actual reporter.
> > 
> > I think reporting credit should probably go to HexRabbit Chen
> > <hexrabbit@devco.re>
> 
> I would not have really know if you don't tell me TBH, else it would
> have taken even longer for me to react and fix it. Because they did
> not really contact me to report this issue this time.
> 
> But if you insist, I will do so.

I'm sorry for the late reply.

I guess the most fair option would be adding both tags. 

With a repost, this will not make it into todays PR, I hope it's not a
problem.

Thanks,

Paolo

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Pablo Neira Ayuso]

On Thu, Jun 27, 2024 at 12:26:49PM +0200, Paolo Abeni wrote:
> Hi,
> On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> > On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > 
> > > > Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
> > > 
> > > Oh, I was only the messenger boy, not the actual reporter.
> > > 
> > > I think reporting credit should probably go to HexRabbit Chen
> > > <hexrabbit@devco.re>
> > 
> > I would not have really know if you don't tell me TBH, else it would
> > have taken even longer for me to react and fix it. Because they did
> > not really contact me to report this issue this time.
> > 
> > But if you insist, I will do so.
> 
> I'm sorry for the late reply.
> 
> I guess the most fair option would be adding both tags. 
> 
> With a repost, this will not make it into todays PR, I hope it's not a
> problem.

It is a addressing a public issue, the reporter decided to follow a
different channel other than security@ for whatever reason.

I'd prefer if you can take it in this round.

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Paolo Abeni]

On Thu, 2024-06-27 at 12:29 +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 27, 2024 at 12:26:49PM +0200, Paolo Abeni wrote:
> > On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > > > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > > 
> > > > > Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
> > > > 
> > > > Oh, I was only the messenger boy, not the actual reporter.
> > > > 
> > > > I think reporting credit should probably go to HexRabbit Chen
> > > > <hexrabbit@devco.re>
> > > 
> > > I would not have really know if you don't tell me TBH, else it would
> > > have taken even longer for me to react and fix it. Because they did
> > > not really contact me to report this issue this time.
> > > 
> > > But if you insist, I will do so.
> > 
> > I'm sorry for the late reply.
> > 
> > I guess the most fair option would be adding both tags. 
> > 
> > With a repost, this will not make it into todays PR, I hope it's not a
> > problem.
> 
> It is a addressing a public issue, the reporter decided to follow a
> different channel other than security@ for whatever reason.
> 
> I'd prefer if you can take it in this round.

Sure, we are still (barely ;) on time!

Thanks for the prompt feedback.

Paolo

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Pablo Neira Ayuso]

On Thu, Jun 27, 2024 at 12:37:59PM +0200, Paolo Abeni wrote:
> On Thu, 2024-06-27 at 12:29 +0200, Pablo Neira Ayuso wrote:
> > On Thu, Jun 27, 2024 at 12:26:49PM +0200, Paolo Abeni wrote:
> > > On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> > > > On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > > > > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > > > 
> > > > > > Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
> > > > > 
> > > > > Oh, I was only the messenger boy, not the actual reporter.
> > > > > 
> > > > > I think reporting credit should probably go to HexRabbit Chen
> > > > > <hexrabbit@devco.re>
> > > > 
> > > > I would not have really know if you don't tell me TBH, else it would
> > > > have taken even longer for me to react and fix it. Because they did
> > > > not really contact me to report this issue this time.
> > > > 
> > > > But if you insist, I will do so.
> > > 
> > > I'm sorry for the late reply.
> > > 
> > > I guess the most fair option would be adding both tags. 
> > > 
> > > With a repost, this will not make it into todays PR, I hope it's not a
> > > problem.
> > 
> > It is a addressing a public issue, the reporter decided to follow a
> > different channel other than security@ for whatever reason.
> > 
> > I'd prefer if you can take it in this round.
> 
> Sure, we are still (barely ;) on time!
> 
> Thanks for the prompt feedback.

Thanks a lot Paolo!

Re: [PATCH net 2/2] netfilter: nf_tables: fully validate NFT_DATA_VALUE on store to data registers

[Pablo Neira Ayuso]

On Thu, Jun 27, 2024 at 12:29:20PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 27, 2024 at 12:26:49PM +0200, Paolo Abeni wrote:
> > Hi,
> > On Thu, 2024-06-27 at 03:13 +0200, Pablo Neira Ayuso wrote:
> > > On Wed, Jun 26, 2024 at 05:51:13PM -0700, Linus Torvalds wrote:
> > > > On Wed, 26 Jun 2024 at 16:38, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > > > > 
> > > > > Reported-by: Linus Torvalds <torvalds@linuxfoundation.org>
> > > > 
> > > > Oh, I was only the messenger boy, not the actual reporter.
> > > > 
> > > > I think reporting credit should probably go to HexRabbit Chen
> > > > <hexrabbit@devco.re>
> > > 
> > > I would not have really know if you don't tell me TBH, else it would
> > > have taken even longer for me to react and fix it. Because they did
> > > not really contact me to report this issue this time.
> > > 
> > > But if you insist, I will do so.
> > 
> > I'm sorry for the late reply.
> > 
> > I guess the most fair option would be adding both tags.

"Fair option" maybe sounds too strong in this case, that email which
reported this pointer leak to userspace through ZDI did not even
report this issue to us in first place...

Linus was so kind to attract my attention on this, I appreciate he
contacted me.

Could you append this text to the pull request message:

Linus found this pointer leak to userspace via zdi-disclosures@ and
forwarded the notice to Netfilter maintainers, he appears as reporter
because whoever found this issue never approached Netfilter
maintainers neither via security@ nor in private.

If still not acceptable, I am fine to send a new PR and miss this
round of fixes.

Thanks Paolo.

> > With a repost, this will not make it into todays PR, I hope it's not a
> > problem.
> 
> It is a addressing a public issue, the reporter decided to follow a
> different channel other than security@ for whatever reason.
> 
> I'd prefer if you can take it in this round.