Request for stable 4.13.x inclusion: netfilter: nft_set_hash: disable fast_ops for 2-len keys

Request for stable 4.13.x inclusion: netfilter: nft_set_hash: disable fast_ops for 2-len keys

[Thomas Deutschmann]

[-- Attachment #1.1: Type: text/plain, Size: 2108 bytes --]

Hi,

please consider to add

> From 0414c78f14861cb704d6e6888efd53dd36e3bdde Mon Sep 17 00:00:00 2001
> From: Anatole Denis <anatole@rezel.net>
> Date: Wed, 4 Oct 2017 01:17:14 +0100
> Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys
> 
> jhash_1word of a u16 is a different value from jhash of the same u16 with
> length 2.
> Since elements are always inserted in sets using jhash over the actual
> klen, this would lead to incorrect lookups on fixed-size sets with a key
> length of 2, as they would be inserted with hash value jhash(key, 2) and
> looked up with hash value jhash_1word(key), which is different.
> 
> Example reproducer(v4.13+), using anonymous sets which always have a
> fixed size:
> 
>   table inet t {
>       chain c {
>                   type filter hook output priority 0; policy accept;
>                   tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
>                   tcp dport 10001 counter packets 4 bytes 240 reject
>                   tcp dport 10003 counter packets 4 bytes 240 reject
>                   tcp dport 10005 counter packets 4 bytes 240 reject
>                   tcp dport 10007 counter packets 0 bytes 0 reject
>                   tcp dport 10009 counter packets 4 bytes 240 reject
>           }
>   }
> 
> then use nc -z localhost <port> to probe; incorrectly hashed ports will
> pass through the set lookup and increment the counter of an individual
> rule.
> 
> jhash being seeded with a random value, it is not deterministic which
> ports will incorrectly hash, but in testing with 5 ports in the set I
> always had 4 or 5 with an incorrect hash value.
> 
> Signed-off-by: Anatole Denis <anatole@rezel.net>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

This commit fixes a problem in 4.13+ with latest >=nftables-0.8 release.

Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880145
Bug: https://bugs.gentoo.org/636968


-- 
Regards,
Thomas Deutschmann / Gentoo Linux Developer
C4DD 695F A713 8F24 2AA1 5638 5849 7EE5 1D5D 74A5


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 981 bytes --]

Re: Request for stable 4.13.x inclusion: netfilter: nft_set_hash: disable fast_ops for 2-len keys

[Greg KH]

On Fri, Nov 10, 2017 at 12:56:46PM +0100, Thomas Deutschmann wrote:
> Hi,
> 
> please consider to add
> 
> > From 0414c78f14861cb704d6e6888efd53dd36e3bdde Mon Sep 17 00:00:00 2001

Just added it 5 minutes ago :)

thanks,

greg k-h

Re: Request for stable 4.13.x inclusion: netfilter: nft_set_hash: disable fast_ops for 2-len keys

[Pablo Neira Ayuso]

On Fri, Nov 10, 2017 at 12:56:46PM +0100, Thomas Deutschmann wrote:
> Hi,
> 
> please consider to add
> 
> > From 0414c78f14861cb704d6e6888efd53dd36e3bdde Mon Sep 17 00:00:00 2001
[...]
> This commit fixes a problem in 4.13+ with latest >=nftables-0.8 release.
> 
> Bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=880145
> Bug: https://bugs.gentoo.org/636968

Already flying into -stable 4.13.

https://marc.info/?l=netfilter-devel&m=151031414718199&w=2

Thanks.