From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 20/65] netfilter: nf_tables: fix destination register zeroing
Date: Tue, 8 Sep 2020 17:26:05 +0200 [thread overview]
Message-ID: <20200908152218.074374714@linuxfoundation.org> (raw)
In-Reply-To: <20200908152217.022816723@linuxfoundation.org>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 1e105e6afa6c3d32bfb52c00ffa393894a525c27 ]
Following bug was reported via irc:
nft list ruleset
set knock_candidates_ipv4 {
type ipv4_addr . inet_service
size 65535
elements = { 127.0.0.1 . 123,
127.0.0.1 . 123 }
}
..
udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
It should not have been possible to add a duplicate set entry.
After some debugging it turned out that the problem is the immediate
value (123) in the second-to-last rule.
Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
not 6 and it turns out the kernel inserted
inet firewall @knock_candidates_ipv4
element 0100007f ffff7b00 : 0 [end]
element 0100007f 00007b00 : 0 [end]
Note the non-zero upper bits of the first element. It turns out that
nft_immediate doesn't zero the destination register, but this is needed
when the length isn't a multiple of 4.
Furthermore, the zeroing in nft_payload is broken. We can't use
[len / 4] = 0 -- if len is a multiple of 4, index is off by one.
Skip zeroing in this case and use a conditional instead of (len -1) / 4.
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_payload.c | 4 +++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index a9704c57430db..3107895115c25 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -136,6 +136,8 @@ static inline u8 nft_reg_load8(u32 *sreg)
static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
unsigned int len)
{
+ if (len % NFT_REG32_SIZE)
+ dst[len / NFT_REG32_SIZE] = 0;
memcpy(dst, src, len);
}
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 19446a89a2a81..b1a9f330a51fe 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -79,7 +79,9 @@ static void nft_payload_eval(const struct nft_expr *expr,
u32 *dest = ®s->data[priv->dreg];
int offset;
- dest[priv->len / NFT_REG32_SIZE] = 0;
+ if (priv->len % NFT_REG32_SIZE)
+ dest[priv->len / NFT_REG32_SIZE] = 0;
+
switch (priv->base) {
case NFT_PAYLOAD_LL_HEADER:
if (!skb_mac_header_was_set(skb))
--
2.25.1
next prev parent reply other threads:[~2020-09-08 17:46 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-08 15:25 [PATCH 4.14 00/65] 4.14.197-rc1 review Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 01/65] HID: core: Correctly handle ReportSize being zero Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 02/65] HID: core: Sanitize event code and type when mapping input Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 03/65] perf record/stat: Explicitly call out event modifiers in the documentation Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 04/65] drm/msm: add shutdown support for display platform_driver Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 05/65] hwmon: (applesmc) check status earlier Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 06/65] nvmet: Disable keep-alive timer when kato is cleared to 0h Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 07/65] ceph: dont allow setlease on cephfs Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 08/65] cpuidle: Fixup IRQ state Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 09/65] s390: dont trace preemption in percpu macros Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 10/65] xen/xenbus: Fix granting of vmallocd memory Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 11/65] dmaengine: of-dma: Fix of_dma_router_xlates of_dma_xlate handling Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 12/65] batman-adv: Avoid uninitialized chaddr when handling DHCP Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 13/65] batman-adv: Fix own OGM check in aggregated OGMs Greg Kroah-Hartman
2020-09-08 15:25 ` [PATCH 4.14 14/65] batman-adv: bla: use netif_rx_ni when not in interrupt context Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 15/65] dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate() Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 16/65] MIPS: mm: BMIPS5000 has inclusive physical caches Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 17/65] MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 18/65] netfilter: nf_tables: add NFTA_SET_USERDATA if not null Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 19/65] netfilter: nf_tables: incorrect enum nft_list_attributes definition Greg Kroah-Hartman
2020-09-08 15:26 ` Greg Kroah-Hartman [this message]
2020-09-08 15:26 ` [PATCH 4.14 21/65] net: hns: Fix memleak in hns_nic_dev_probe Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 22/65] net: systemport: Fix memleak in bcm_sysport_probe Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 23/65] ravb: Fixed to be able to unload modules Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 24/65] net: arc_emac: Fix memleak in arc_mdio_probe Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 25/65] dmaengine: pl330: Fix burst length if burst size is smaller than bus width Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 26/65] gtp: add GTPA_LINK info to msg sent to userspace Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 27/65] bnxt_en: Check for zero dir entries in NVRAM Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 28/65] bnxt_en: Fix PCI AER error recovery flow Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 29/65] nvmet-fc: Fix a missed _irqsave version of spin_lock in nvmet_fc_fod_op_done() Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 30/65] perf tools: Correct SNOOPX field offset Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 31/65] net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 32/65] fix regression in "epoll: Keep a reference on files added to the check list" Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 33/65] drm/radeon: Prefer lower feedback dividers Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 34/65] tg3: Fix soft lockup when tg3_reset_task() fails Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 35/65] iommu/vt-d: Serialize IOMMU GCMD register modifications Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 36/65] thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 37/65] include/linux/log2.h: add missing () around n in roundup_pow_of_two() Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 38/65] btrfs: drop path before adding new uuid tree entry Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 39/65] btrfs: Remove redundant extent_buffer_get in get_old_root Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 40/65] btrfs: Remove extraneous extent_buffer_get from tree_mod_log_rewind Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 41/65] btrfs: set the lockdep class for log tree extent buffers Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 42/65] uaccess: Add non-pagefault user-space read functions Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 43/65] uaccess: Add non-pagefault user-space write function Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 44/65] btrfs: fix potential deadlock in the search ioctl Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 45/65] net: usb: qmi_wwan: add Telit 0x1050 composition Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 46/65] usb: qmi_wwan: add D-Link DWM-222 A2 device ID Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 47/65] ALSA: ca0106: fix error code handling Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 48/65] ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 49/65] ALSA: hda/hdmi: always check pin power status in i915 pin fixup Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 50/65] ALSA: firewire-digi00x: exclude Avid Adrenaline from detection Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 51/65] affs: fix basic permission bits to actually work Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 52/65] block: allow for_each_bvec to support zero len bvec Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 53/65] block: Move SECTOR_SIZE and SECTOR_SHIFT definitions into <linux/blkdev.h> Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 54/65] libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 55/65] dm cache metadata: Avoid returning cmd->bm wild pointer on error Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 56/65] dm thin " Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 57/65] mm: slub: fix conversion of freelist_corrupted() Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 58/65] KVM: arm64: Add kvm_extable for vaxorcism code Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 59/65] KVM: arm64: Defer guest entry when an asynchronous exception is pending Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 60/65] KVM: arm64: Survive synchronous exceptions caused by AT instructions Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 61/65] KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous exception Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 62/65] checkpatch: fix the usage of capture group ( ... ) Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 63/65] mm/hugetlb: fix a race between hugetlb sysctl handlers Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 64/65] cfg80211: regulatory: reject invalid hints Greg Kroah-Hartman
2020-09-08 15:26 ` [PATCH 4.14 65/65] net: usb: Fix uninit-was-stored issue in asix_read_phy_addr() Greg Kroah-Hartman
2020-09-09 1:47 ` [PATCH 4.14 00/65] 4.14.197-rc1 review Shuah Khan
2020-09-09 7:03 ` Jon Hunter
2020-09-09 8:19 ` Naresh Kamboju
2020-09-09 16:39 ` Guenter Roeck
2020-09-09 16:39 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200908152218.074374714@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).