Testing stable backports for netfilter

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Testing stable backports for netfilter
@ 2024-06-10 18:21 Harshit Mogalapalli
  2024-06-10 21:59 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Harshit Mogalapalli @ 2024-06-10 18:21 UTC (permalink / raw)
  To: netfilter-devel, Pablo Neira Ayuso; +Cc: stable@vger.kernel.org, Vegard Nossum

Hello netfilter developers,

Do we have any tests that we could run before sending a stable backport 
in netfilter/ subsystem to stable@vger ?

Let us say we have a CVE fix which is only backported till 5.10.y but it 
is needed is 5.4.y and 4.19.y, the backport might need to easy to make, 
just fixing some conflicts due to contextual changes or missing commits.

One question that comes in my mind is did I test that particular code, 
often testing that particular code is tough unless the reproducer is 
public. So I thought it would be good to learn about any netfilter test 
suite(set of tests) to run before sending a backport to stable kernel 
which might ensure we don't introduce regressions.

Thanks,
Harshit

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Testing stable backports for netfilter
  2024-06-10 18:21 Testing stable backports for netfilter Harshit Mogalapalli
@ 2024-06-10 21:59 ` Pablo Neira Ayuso
  2024-06-11  5:58   ` Harshit Mogalapalli
  0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2024-06-10 21:59 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: netfilter-devel, stable@vger.kernel.org, Vegard Nossum

On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
> Hello netfilter developers,
> 
> Do we have any tests that we could run before sending a stable backport in
> netfilter/ subsystem to stable@vger ?
> 
> Let us say we have a CVE fix which is only backported till 5.10.y but it is
> needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
> fixing some conflicts due to contextual changes or missing commits.

Which one in particular is missing?

> One question that comes in my mind is did I test that particular code, often
> testing that particular code is tough unless the reproducer is public. So I
> thought it would be good to learn about any netfilter test suite(set of
> tests) to run before sending a backport to stable kernel which might ensure
> we don't introduce regressions.

There is tests/shell under the nftables userspace tree, it also
detected the features that are available in your kernel.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Testing stable backports for netfilter
  2024-06-10 21:59 ` Pablo Neira Ayuso
@ 2024-06-11  5:58   ` Harshit Mogalapalli
  2024-06-11  8:41     ` Pablo Neira Ayuso
  0 siblings, 1 reply; 6+ messages in thread
From: Harshit Mogalapalli @ 2024-06-11  5:58 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: netfilter-devel, stable@vger.kernel.org, Vegard Nossum

On 11/06/24 03:29, Pablo Neira Ayuso wrote:
> On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
>> Hello netfilter developers,
>>
>> Do we have any tests that we could run before sending a stable backport in
>> netfilter/ subsystem to stable@vger ?
>>
>> Let us say we have a CVE fix which is only backported till 5.10.y but it is
>> needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
>> fixing some conflicts due to contextual changes or missing commits.
> 
> Which one in particular is missing?

I was planning to backport the fix for CVE-2023-52628 onto 5.4.y and 
4.19.y trees.

lts-5.10       : v5.10.198             - a7d86a77c33b netfilter: 
nftables: exthdr: fix 4-byte stack OOB write
   lts-5.15       : v5.15.132             - 1ad7b189cc14 netfilter: 
nftables: exthdr: fix 4-byte stack OOB write
   lts-6.1        : v6.1.54               - d9ebfc0f2137 netfilter: 
nftables: exthdr: fix 4-byte stack OOB write
   mainline       : v6.6-rc1              - fd94d9dadee5 netfilter: 
nftables: exthdr: fix 4-byte stack OOB write


> 
>> One question that comes in my mind is did I test that particular code, often
>> testing that particular code is tough unless the reproducer is public. So I
>> thought it would be good to learn about any netfilter test suite(set of
>> tests) to run before sending a backport to stable kernel which might ensure
>> we don't introduce regressions.
> 
> There is tests/shell under the nftables userspace tree, it also
> detected the features that are available in your kernel.
> 

Thanks a lot for sharing. Will try running these before sending any 
netfilter backports to stable.

Regards,
Harshit


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Testing stable backports for netfilter
  2024-06-11  5:58   ` Harshit Mogalapalli
@ 2024-06-11  8:41     ` Pablo Neira Ayuso
  2024-06-11  8:59       ` Vegard Nossum
  2024-06-11  9:00       ` Pablo Neira Ayuso
  0 siblings, 2 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2024-06-11  8:41 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: netfilter-devel, stable@vger.kernel.org, Vegard Nossum

On Tue, Jun 11, 2024 at 11:28:29AM +0530, Harshit Mogalapalli wrote:
> On 11/06/24 03:29, Pablo Neira Ayuso wrote:
> > On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
> > > Hello netfilter developers,
> > > 
> > > Do we have any tests that we could run before sending a stable backport in
> > > netfilter/ subsystem to stable@vger ?
> > > 
> > > Let us say we have a CVE fix which is only backported till 5.10.y but it is
> > > needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
> > > fixing some conflicts due to contextual changes or missing commits.
> > 
> > Which one in particular is missing?
> 
> I was planning to backport the fix for CVE-2023-52628 onto 5.4.y and 4.19.y
> trees.
> 
> lts-5.10       : v5.10.198             - a7d86a77c33b netfilter: nftables:
> exthdr: fix 4-byte stack OOB write
>   lts-5.15       : v5.15.132             - 1ad7b189cc14 netfilter: nftables:
> exthdr: fix 4-byte stack OOB write
>   lts-6.1        : v6.1.54               - d9ebfc0f2137 netfilter: nftables:
>
> exthdr: fix 4-byte stack OOB write
>   mainline       : v6.6-rc1              - fd94d9dadee5 netfilter: nftables:
> exthdr: fix 4-byte stack OOB write

This is information is incorrect.

This fix is already in 6.1 -stable.

commit d9ebfc0f21377690837ebbd119e679243e0099cc
Author: Florian Westphal <fw@strlen.de>
Date:   Tue Sep 5 23:13:56 2023 +0200

    netfilter: nftables: exthdr: fix 4-byte stack OOB write

    [ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Testing stable backports for netfilter
  2024-06-11  8:41     ` Pablo Neira Ayuso
@ 2024-06-11  8:59       ` Vegard Nossum
  2024-06-11  9:00       ` Pablo Neira Ayuso
  1 sibling, 0 replies; 6+ messages in thread
From: Vegard Nossum @ 2024-06-11  8:59 UTC (permalink / raw)
  To: Pablo Neira Ayuso, Harshit Mogalapalli
  Cc: netfilter-devel, stable@vger.kernel.org


On 11/06/2024 10:41, Pablo Neira Ayuso wrote:
> On Tue, Jun 11, 2024 at 11:28:29AM +0530, Harshit Mogalapalli wrote:
>> On 11/06/24 03:29, Pablo Neira Ayuso wrote:
>>> On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
>>>> Hello netfilter developers,
>>>>
>>>> Do we have any tests that we could run before sending a stable backport in
>>>> netfilter/ subsystem to stable@vger ?
>>>>
>>>> Let us say we have a CVE fix which is only backported till 5.10.y but it is
>>>> needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
>>>> fixing some conflicts due to contextual changes or missing commits.
>>>
>>> Which one in particular is missing?
>>
>> I was planning to backport the fix for CVE-2023-52628 onto 5.4.y and 4.19.y
>> trees.
>>
>> lts-5.10       : v5.10.198             - a7d86a77c33b netfilter: nftables:
>> exthdr: fix 4-byte stack OOB write
>>    lts-5.15       : v5.15.132             - 1ad7b189cc14 netfilter: nftables:
>> exthdr: fix 4-byte stack OOB write
>>    lts-6.1        : v6.1.54               - d9ebfc0f2137 netfilter: nftables:
>>
>> exthdr: fix 4-byte stack OOB write
>>    mainline       : v6.6-rc1              - fd94d9dadee5 netfilter: nftables:
>> exthdr: fix 4-byte stack OOB write
> 
> This is information is incorrect.
> 
> This fix is already in 6.1 -stable.
> 
> commit d9ebfc0f21377690837ebbd119e679243e0099cc
> Author: Florian Westphal <fw@strlen.de>
> Date:   Tue Sep 5 23:13:56 2023 +0200
> 
>      netfilter: nftables: exthdr: fix 4-byte stack OOB write
> 
>      [ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]

Right, it's in 6.1, 5.10, and 5.5 -- that's what the list above shows.

It still seems to be missing from 5.4 and 4.19.


Vegard

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: Testing stable backports for netfilter
  2024-06-11  8:41     ` Pablo Neira Ayuso
  2024-06-11  8:59       ` Vegard Nossum
@ 2024-06-11  9:00       ` Pablo Neira Ayuso
  1 sibling, 0 replies; 6+ messages in thread
From: Pablo Neira Ayuso @ 2024-06-11  9:00 UTC (permalink / raw)
  To: Harshit Mogalapalli
  Cc: netfilter-devel, stable@vger.kernel.org, Vegard Nossum

On Tue, Jun 11, 2024 at 10:41:22AM +0200, Pablo Neira Ayuso wrote:
> On Tue, Jun 11, 2024 at 11:28:29AM +0530, Harshit Mogalapalli wrote:
> > On 11/06/24 03:29, Pablo Neira Ayuso wrote:
> > > On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
> > > > Hello netfilter developers,
> > > > 
> > > > Do we have any tests that we could run before sending a stable backport in
> > > > netfilter/ subsystem to stable@vger ?
> > > > 
> > > > Let us say we have a CVE fix which is only backported till 5.10.y but it is
> > > > needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
> > > > fixing some conflicts due to contextual changes or missing commits.
> > > 
> > > Which one in particular is missing?
> > 
> > I was planning to backport the fix for CVE-2023-52628 onto 5.4.y and 4.19.y
> > trees.
> > 
> > lts-5.10       : v5.10.198             - a7d86a77c33b netfilter: nftables:
> > exthdr: fix 4-byte stack OOB write
> >   lts-5.15       : v5.15.132             - 1ad7b189cc14 netfilter: nftables:
> > exthdr: fix 4-byte stack OOB write
> >   lts-6.1        : v6.1.54               - d9ebfc0f2137 netfilter: nftables:
> >
> > exthdr: fix 4-byte stack OOB write
> >   mainline       : v6.6-rc1              - fd94d9dadee5 netfilter: nftables:
> > exthdr: fix 4-byte stack OOB write
> 
> This is information is incorrect.
> 
> This fix is already in 6.1 -stable.

Ah, you refer to 4.19 and 5.4, that is correct.

I have just enqueued -stable backports, those are easy.

Thanks for reporting.

> commit d9ebfc0f21377690837ebbd119e679243e0099cc
> Author: Florian Westphal <fw@strlen.de>
> Date:   Tue Sep 5 23:13:56 2023 +0200
> 
>     netfilter: nftables: exthdr: fix 4-byte stack OOB write
> 
>     [ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-06-11  9:00 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-06-10 18:21 Testing stable backports for netfilter Harshit Mogalapalli
2024-06-10 21:59 ` Pablo Neira Ayuso
2024-06-11  5:58   ` Harshit Mogalapalli
2024-06-11  8:41     ` Pablo Neira Ayuso
2024-06-11  8:59       ` Vegard Nossum
2024-06-11  9:00       ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).