!54 nftables:fix some pathces from commity

From: @zhang-hao-jon Reviewed-by: @seuzw Signed-off-by: @seuzw
2023-03-24 06:35:56 +00:00 · 2023-03-24 06:35:56 +00:00 · 568f36fe17
commit 568f36fe17
parent 1e714e69a1 172ac2015d
8 changed files with 340 additions and 1 deletions
--- a/backport-evaluate-allow-implicit-ether-vlan-dep.patch
+++ b/backport-evaluate-allow-implicit-ether-vlan-dep.patch
@ -0,0 +1,34 @@
+From c3afb1d8865a724c03ea1008c82ad18a781ed043 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 11 Aug 2022 09:10:55 +0200
+Subject: [PATCH] evaluate: allow implicit ether -> vlan dep
+
+nft add rule inet filter input vlan id 2
+Error: conflicting protocols specified: ether vs. vlan
+
+Refresh the current dependency after superseding the dummy
+dependency to make this work.
+
+Conflict: The content of the patch has not been changed, the patch context does not match, it is suitable for the patch
+Reference: https://git.netfilter.org/nftables/commit?id=c3afb1d8865a724c03ea1008c82ad18a781ed043
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ src/evaluate.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index e6bb07a..76867a7 100644
+--- a/src/evaluate.c
+++ b/src/evaluate.c
+@@ -654,6 +654,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx,
+ 		if (err < 0)
+ 			return err;
+ 
+		desc = payload->payload.desc;
+ 		rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt);
+ 	}
+ 
+-- 
+2.33.0
+
--- a/backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch
+++ b/backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch
@ -0,0 +1,36 @@
+From 77bd7e0c70d9a1914c4a853e09849af724c0f695 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 5 Oct 2022 01:36:44 +0200
+Subject: [PATCH] evaluate: bogus datatype assertion in binary operation
+ evaluation
+
+Use datatype_equal(), otherwise dynamically allocated datatype fails
+to fulfill the datatype pointer check, triggering the assertion:
+
+ nft: evaluate.c:1249: expr_evaluate_binop: Assertion `expr_basetype(left) == expr_basetype(right)' failed.
+
+Conflict: Remove supplementary test cases
+Reference: https://git.netfilter.org/nftables/commit?id=77bd7e0c70d9a1914c4a853e09849af724c0f695
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1636
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/evaluate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index f1f4926..a4047dc 100644
+--- a/src/evaluate.c
+++ b/src/evaluate.c
+@@ -1215,7 +1215,7 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr)
+ 					 sym, expr_name(right));
+ 
+ 	/* The grammar guarantees this */
+-	assert(expr_basetype(left) == expr_basetype(right));
+	assert(datatype_equal(expr_basetype(left), expr_basetype(right)));
+ 
+ 	switch (op->op) {
+ 	case OP_LSHIFT:
+-- 
+2.33.0
+
--- a/backport-evaluate-datatype-memleak-after-binop-transfer.patch
+++ b/backport-evaluate-datatype-memleak-after-binop-transfer.patch
@ -0,0 +1,37 @@
+From e780df8fcceeb5b8fbcbd5d965bb07124ed7da2d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 5 Oct 2022 01:36:52 +0200
+Subject: [PATCH] evaluate: datatype memleak after binop transfer
+
+The following ruleset:
+
+	ip version vmap { 4 : jump t3, 6 : jump t4 }
+
+results in a memleak.
+
+expr_evaluate_shift() overrides the datatype which results in a datatype
+memleak after the binop transfer that triggers a left-shift of the
+constant (in the map).
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=e780df8fcceeb5b8fbcbd5d965bb07124ed7da2d
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/evaluate.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 2e2b8df0..0bf6a0d1 100644
+--- a/src/evaluate.c
+++ b/src/evaluate.c
+@@ -1189,7 +1189,6 @@ static int expr_evaluate_shift(struct eval_ctx *ctx, struct expr **expr)
+ 	if (byteorder_conversion(ctx, &op->right, BYTEORDER_HOST_ENDIAN) < 0)
+ 		return -1;
+ 
+-	op->dtype     = &integer_type;
+ 	op->byteorder = BYTEORDER_HOST_ENDIAN;
+ 	op->len       = left->len;
+ 
+-- 
+2.23.0
--- a/backport-monitor-missing-cache-and-set-handle-initialization.patch
+++ b/backport-monitor-missing-cache-and-set-handle-initialization.patch
@ -0,0 +1,62 @@
+From 4521732ebbf34573062d2cad2f74b98910ea1c5b Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 11 Nov 2022 11:07:28 +0100
+Subject: [PATCH] monitor: missing cache and set handle initialization
+
+This leads to a crash when adding stateful expressions to sets:
+
+netlink.c:928:38: runtime error: member access within null pointer of type 'struct nft_ctx'
+AddressSanitizer:DEADLYSIGNAL
+=================================================================
+==13781==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d0 (pc 0x7fc96fc2b6b2 bp 0x7ffc0e26b080 sp 0x7ffc0e26b020 T0)
+==13781==The signal is caused by a READ memory access.
+==13781==Hint: address points to the zero page.
+    #0 0x7fc96fc2b6b2 in table_cache_find /home/pablo/devel/scm/git-netfilter/nftables/src/cache.c:456
+    #1 0x7fc96fd244d4 in netlink_parse_set_expr /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_delinearize.c:1857
+    #2 0x7fc96fcf1b4d in netlink_delinearize_set /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:928
+    #3 0x7fc96fd41966 in netlink_events_cache_addset /home/pablo/devel/scm/git-netfilter/nftables/src/monitor.c:649
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=4521732ebbf34573062d2cad2f74b98910ea1c5b
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/monitor.c                      | 2 ++
+ tests/monitor/testcases/map-expr.t | 6 ++++++
+ 2 files changed, 8 insertions(+)
+ create mode 100644 tests/monitor/testcases/map-expr.t
+
+diff --git a/src/monitor.c b/src/monitor.c
+index a6b30a18..4b55872b 100644
+--- a/src/monitor.c
+++ b/src/monitor.c
+@@ -428,6 +428,7 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type,
+ 	 * used by named sets, so use a dummy set.
+ 	 */
+ 	dummyset = set_alloc(monh->loc);
+	handle_merge(&dummyset->handle, &set->handle);
+ 	dummyset->key = expr_clone(set->key);
+ 	if (set->data)
+ 		dummyset->data = expr_clone(set->data);
+@@ -643,6 +644,7 @@ static void netlink_events_cache_addset(struct netlink_mon_handler *monh,
+ 	memset(&set_tmpctx, 0, sizeof(set_tmpctx));
+ 	init_list_head(&set_tmpctx.list);
+ 	init_list_head(&msgs);
+	set_tmpctx.nft = monh->ctx->nft;
+ 	set_tmpctx.msgs = &msgs;
+ 
+ 	nls = netlink_set_alloc(nlh);
+diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t
+new file mode 100644
+index 00000000..8729c0b4
+--- /dev/null
+++ b/tests/monitor/testcases/map-expr.t
+@@ -0,0 +1,6 @@
+# first the setup
+I add table ip t
+I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; }
+O -
+J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}}
+J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}}
+-- 
+2.23.0
--- a/backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch
+++ b/backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch
@ -0,0 +1,43 @@
+From 4dbfa17097512b6b88805299223f93e90a072ea6 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 12 Oct 2022 12:50:26 +0200
+Subject: [PATCH] netlink_delinearize: do not transfer binary operation to
+ non-anonymous sets
+
+Michael Braun says:
+
+This results for nft list ruleset in
+  nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed.
+
+This is due to binop_adjust_one setting value->len to left->len, which
+is shorther than right->len.
+
+Additionally, it does not seem correct to alter set elements from parsing a
+rule, so remove that part all together.
+
+Conflict: Remove supplementary test cases
+Reference: https://git.netfilter.org/nftables/commit?id=4dbfa17097512b6b88805299223f93e90a072ea6
+
+Reported-by: Michael Braun <michael-dev@fami-braun.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/netlink_delinearize.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
+index 55bd0fd..ae6858d 100644
+--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
+@@ -2210,6 +2210,9 @@ static void __binop_adjust(const struct expr *binop, struct expr *right,
+ 		binop_adjust_one(binop, right, shift);
+ 		break;
+ 	case EXPR_SET_REF:
+		if (!set_is_anonymous(right->set->flags))
+			break;
+
+ 		list_for_each_entry(i, &right->set->init->expressions, list) {
+ 			switch (i->key->etype) {
+ 			case EXPR_VALUE:
+-- 
+2.33.0
+
--- a/backport-netlink_linearize-fix-timeout-with-map-updates.patch
+++ b/backport-netlink_linearize-fix-timeout-with-map-updates.patch
@ -0,0 +1,57 @@
+From 284c038ef4c69d042ef91272d90c143019ecea1f Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 12 Dec 2022 11:04:35 +0100
+Subject: [PATCH] netlink_linearize: fix timeout with map updates
+
+Map updates can use timeouts, just like with sets, but the
+linearization step did not pass this info to the kernel.
+
+meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport
+
+Listing this won't show the "timeout 90s" because kernel never saw it to
+begin with.
+
+Also update evaluation step to reject a timeout that was set on
+the data part: Timeouts are only allowed for the key-value pair
+as a whole.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=284c038ef4c69d042ef91272d90c143019ecea1f
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+---
+ src/evaluate.c          | 3 +++
+ src/netlink_linearize.c | 4 ++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index d0279e33..c04cb91d 100644
+--- a/src/evaluate.c
+++ b/src/evaluate.c
+@@ -3898,6 +3898,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt)
+ 	if (stmt->map.data->comment != NULL)
+ 		return expr_error(ctx->msgs, stmt->map.data,
+ 				  "Data expression comments are not supported");
+	if (stmt->map.data->timeout > 0)
+		return expr_error(ctx->msgs, stmt->map.data,
+				  "Data expression timeouts are not supported");
+ 
+ 	list_for_each_entry(this, &stmt->map.stmt_list, list) {
+ 		if (stmt_evaluate(ctx, this) < 0)
+diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
+index c8bbcb74..6de0a969 100644
+--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
+@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx,
+ 	nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id);
+ 	nft_rule_add_expr(ctx, nle, &stmt->location);
+ 
+	if (stmt->map.key->timeout > 0)
+		nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT,
+				   stmt->map.key->timeout);
+
+ 	list_for_each_entry(this, &stmt->map.stmt_list, list)
+ 		num_stmts++;
+ 
+-- 
+2.23.0
--- a/backport-payload-do-not-kill-dependency-for-proto_unknown.patch
+++ b/backport-payload-do-not-kill-dependency-for-proto_unknown.patch
@ -0,0 +1,50 @@
+From c8a3c669499d169fef8c1e89b8d2d909e5ecd023 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 31 Oct 2022 11:35:31 +0100
+Subject: [PATCH] payload: do not kill dependency for proto_unknown
+
+Unsupported meta match on layer 4 protocol sets on protocol context to
+proto_unknown, handle anything coming after it as a raw expression in
+payload_expr_expand().
+
+Moreover, payload_dependency_kill() skips dependency removal if protocol
+is unknown, so raw payload expression leaves meta layer 4 protocol
+remains in place.
+
+Conflict: Remove supplementary test cases
+Reference: https://git.netfilter.org/nftables/commit?id=c8a3c669499d169fef8c1e89b8d2d909e5ecd023
+
+Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1641
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/payload.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/payload.c b/src/payload.c
+index 97b6071..ebd99c9 100644
+--- a/src/payload.c
+++ b/src/payload.c
+@@ -755,7 +755,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx,
+ void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr,
+ 			     unsigned int family)
+ {
+-	if (payload_dependency_exists(ctx, expr->payload.base) &&
+	if (expr->payload.desc != &proto_unknown &&
+	    payload_dependency_exists(ctx, expr->payload.base) &&
+ 	    payload_may_dependency_kill(ctx, family, expr))
+ 		payload_dependency_release(ctx);
+ }
+@@ -926,8 +927,9 @@ void payload_expr_expand(struct list_head *list, struct expr *expr,
+ 	assert(expr->etype == EXPR_PAYLOAD);
+ 
+ 	desc = ctx->protocol[expr->payload.base].desc;
+-	if (desc == NULL)
+	if (desc == NULL || desc == &proto_unknown)
+ 		goto raw;
+
+ 	assert(desc->base == expr->payload.base);
+ 
+ 	for (i = 1; i < array_size(desc->templates); i++) {
+-- 
+2.33.0
+
--- a/nftables.spec
+++ b/nftables.spec
@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.0
-Release:        6
+Release:        7
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@ -21,6 +21,14 @@ Patch8:         backport-evaluate-string-prefix-expression-must-retain-original-
 Patch9:         backport-libnftables-release-top-level-scope.patch
 Patch10:        backport-dump-locations-expressions-only-if-set.patch

+Patch11:        backport-evaluate-allow-implicit-ether-vlan-dep.patch
+Patch12:        backport-evaluate-datatype-memleak-after-binop-transfer.patch
+Patch13:        backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch
+Patch14:        backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch
+Patch15:        backport-payload-do-not-kill-dependency-for-proto_unknown.patch
+Patch16:        backport-monitor-missing-cache-and-set-handle-initialization.patch
+Patch17:        backport-netlink_linearize-fix-timeout-with-map-updates.patch
+
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
 BuildRequires:  chrpath
@ -119,6 +127,18 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{python3_sitelib}/nftables/

 %changelog
+* Tue Mar 21 2023 zhanghao <zhanghao383@huawei.com> - 1:1.0.0-7
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:evaluate allow implicit ether vlan dep
+evaluate datatype memleak after binop transfer
+evaluate bogus datatype assertion in binary operation evaluation
+netlink delinearize do not transfer binary operation to non anonymous sets
+payload do not kill dependency for proto unknown
+monitor missing cache and set handle initialization
+netlink linearize fix timeout with map updates
+
 * Thu Dec 15 2022 huangyu <huangyu106@huawei.com> - 1:1.0.0-6
 - Type:bugfix
 - ID:NA