From 172ac2015d5335abf15869d5b7947da97c2f512a Mon Sep 17 00:00:00 2001 From: zhang-hao-jon Date: Tue, 21 Mar 2023 20:15:14 +0800 Subject: [PATCH] nftables:fix some pathces from commity --- ...aluate-allow-implicit-ether-vlan-dep.patch | 34 ++++++++++ ...rtion-in-binary-operation-evaluation.patch | 36 +++++++++++ ...atatype-memleak-after-binop-transfer.patch | 37 +++++++++++ ...-cache-and-set-handle-initialization.patch | 62 +++++++++++++++++++ ...nary-operation-to-non-anonymous-sets.patch | 43 +++++++++++++ ...nearize-fix-timeout-with-map-updates.patch | 57 +++++++++++++++++ ...ot-kill-dependency-for-proto_unknown.patch | 50 +++++++++++++++ nftables.spec | 22 ++++++- 8 files changed, 340 insertions(+), 1 deletion(-) create mode 100644 backport-evaluate-allow-implicit-ether-vlan-dep.patch create mode 100644 backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch create mode 100644 backport-evaluate-datatype-memleak-after-binop-transfer.patch create mode 100644 backport-monitor-missing-cache-and-set-handle-initialization.patch create mode 100644 backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch create mode 100644 backport-netlink_linearize-fix-timeout-with-map-updates.patch create mode 100644 backport-payload-do-not-kill-dependency-for-proto_unknown.patch diff --git a/backport-evaluate-allow-implicit-ether-vlan-dep.patch b/backport-evaluate-allow-implicit-ether-vlan-dep.patch new file mode 100644 index 0000000..3849676 --- /dev/null +++ b/backport-evaluate-allow-implicit-ether-vlan-dep.patch @@ -0,0 +1,34 @@ +From c3afb1d8865a724c03ea1008c82ad18a781ed043 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 11 Aug 2022 09:10:55 +0200 +Subject: [PATCH] evaluate: allow implicit ether -> vlan dep + +nft add rule inet filter input vlan id 2 +Error: conflicting protocols specified: ether vs. vlan + +Refresh the current dependency after superseding the dummy +dependency to make this work. + +Conflict: The content of the patch has not been changed, the patch context does not match, it is suitable for the patch +Reference: https://git.netfilter.org/nftables/commit?id=c3afb1d8865a724c03ea1008c82ad18a781ed043 + +Signed-off-by: Florian Westphal +--- + src/evaluate.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/evaluate.c b/src/evaluate.c +index e6bb07a..76867a7 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -654,6 +654,7 @@ static int resolve_protocol_conflict(struct eval_ctx *ctx, + if (err < 0) + return err; + ++ desc = payload->payload.desc; + rule_stmt_insert_at(ctx->rule, nstmt, ctx->stmt); + } + +-- +2.33.0 + diff --git a/backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch b/backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch new file mode 100644 index 0000000..8f1296c --- /dev/null +++ b/backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch @@ -0,0 +1,36 @@ +From 77bd7e0c70d9a1914c4a853e09849af724c0f695 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 5 Oct 2022 01:36:44 +0200 +Subject: [PATCH] evaluate: bogus datatype assertion in binary operation + evaluation + +Use datatype_equal(), otherwise dynamically allocated datatype fails +to fulfill the datatype pointer check, triggering the assertion: + + nft: evaluate.c:1249: expr_evaluate_binop: Assertion `expr_basetype(left) == expr_basetype(right)' failed. + +Conflict: Remove supplementary test cases +Reference: https://git.netfilter.org/nftables/commit?id=77bd7e0c70d9a1914c4a853e09849af724c0f695 + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1636 +Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index f1f4926..a4047dc 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1215,7 +1215,7 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr) + sym, expr_name(right)); + + /* The grammar guarantees this */ +- assert(expr_basetype(left) == expr_basetype(right)); ++ assert(datatype_equal(expr_basetype(left), expr_basetype(right))); + + switch (op->op) { + case OP_LSHIFT: +-- +2.33.0 + diff --git a/backport-evaluate-datatype-memleak-after-binop-transfer.patch b/backport-evaluate-datatype-memleak-after-binop-transfer.patch new file mode 100644 index 0000000..19ee937 --- /dev/null +++ b/backport-evaluate-datatype-memleak-after-binop-transfer.patch @@ -0,0 +1,37 @@ +From e780df8fcceeb5b8fbcbd5d965bb07124ed7da2d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 5 Oct 2022 01:36:52 +0200 +Subject: [PATCH] evaluate: datatype memleak after binop transfer + +The following ruleset: + + ip version vmap { 4 : jump t3, 6 : jump t4 } + +results in a memleak. + +expr_evaluate_shift() overrides the datatype which results in a datatype +memleak after the binop transfer that triggers a left-shift of the +constant (in the map). + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=e780df8fcceeb5b8fbcbd5d965bb07124ed7da2d + +Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 2e2b8df0..0bf6a0d1 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1189,7 +1189,6 @@ static int expr_evaluate_shift(struct eval_ctx *ctx, struct expr **expr) + if (byteorder_conversion(ctx, &op->right, BYTEORDER_HOST_ENDIAN) < 0) + return -1; + +- op->dtype = &integer_type; + op->byteorder = BYTEORDER_HOST_ENDIAN; + op->len = left->len; + +-- +2.23.0 diff --git a/backport-monitor-missing-cache-and-set-handle-initialization.patch b/backport-monitor-missing-cache-and-set-handle-initialization.patch new file mode 100644 index 0000000..f7ea015 --- /dev/null +++ b/backport-monitor-missing-cache-and-set-handle-initialization.patch @@ -0,0 +1,62 @@ +From 4521732ebbf34573062d2cad2f74b98910ea1c5b Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 11 Nov 2022 11:07:28 +0100 +Subject: [PATCH] monitor: missing cache and set handle initialization + +This leads to a crash when adding stateful expressions to sets: + +netlink.c:928:38: runtime error: member access within null pointer of type 'struct nft_ctx' +AddressSanitizer:DEADLYSIGNAL +================================================================= +==13781==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000d0 (pc 0x7fc96fc2b6b2 bp 0x7ffc0e26b080 sp 0x7ffc0e26b020 T0) +==13781==The signal is caused by a READ memory access. +==13781==Hint: address points to the zero page. + #0 0x7fc96fc2b6b2 in table_cache_find /home/pablo/devel/scm/git-netfilter/nftables/src/cache.c:456 + #1 0x7fc96fd244d4 in netlink_parse_set_expr /home/pablo/devel/scm/git-netfilter/nftables/src/netlink_delinearize.c:1857 + #2 0x7fc96fcf1b4d in netlink_delinearize_set /home/pablo/devel/scm/git-netfilter/nftables/src/netlink.c:928 + #3 0x7fc96fd41966 in netlink_events_cache_addset /home/pablo/devel/scm/git-netfilter/nftables/src/monitor.c:649 + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=4521732ebbf34573062d2cad2f74b98910ea1c5b + +Signed-off-by: Pablo Neira Ayuso +--- + src/monitor.c | 2 ++ + tests/monitor/testcases/map-expr.t | 6 ++++++ + 2 files changed, 8 insertions(+) + create mode 100644 tests/monitor/testcases/map-expr.t + +diff --git a/src/monitor.c b/src/monitor.c +index a6b30a18..4b55872b 100644 +--- a/src/monitor.c ++++ b/src/monitor.c +@@ -428,6 +428,7 @@ static int netlink_events_setelem_cb(const struct nlmsghdr *nlh, int type, + * used by named sets, so use a dummy set. + */ + dummyset = set_alloc(monh->loc); ++ handle_merge(&dummyset->handle, &set->handle); + dummyset->key = expr_clone(set->key); + if (set->data) + dummyset->data = expr_clone(set->data); +@@ -643,6 +644,7 @@ static void netlink_events_cache_addset(struct netlink_mon_handler *monh, + memset(&set_tmpctx, 0, sizeof(set_tmpctx)); + init_list_head(&set_tmpctx.list); + init_list_head(&msgs); ++ set_tmpctx.nft = monh->ctx->nft; + set_tmpctx.msgs = &msgs; + + nls = netlink_set_alloc(nlh); +diff --git a/tests/monitor/testcases/map-expr.t b/tests/monitor/testcases/map-expr.t +new file mode 100644 +index 00000000..8729c0b4 +--- /dev/null ++++ b/tests/monitor/testcases/map-expr.t +@@ -0,0 +1,6 @@ ++# first the setup ++I add table ip t ++I add map ip t m { typeof meta day . meta hour : verdict; flags interval; counter; } ++O - ++J {"add": {"table": {"family": "ip", "name": "t", "handle": 0}}} ++J {"add": {"map": {"family": "ip", "name": "m", "table": "t", "type": ["day", "hour"], "handle": 0, "map": "verdict", "flags": ["interval"], "stmt": [{"counter": null}]}}} +-- +2.23.0 diff --git a/backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch b/backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch new file mode 100644 index 0000000..3d97baf --- /dev/null +++ b/backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch @@ -0,0 +1,43 @@ +From 4dbfa17097512b6b88805299223f93e90a072ea6 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 12 Oct 2022 12:50:26 +0200 +Subject: [PATCH] netlink_delinearize: do not transfer binary operation to + non-anonymous sets + +Michael Braun says: + +This results for nft list ruleset in + nft: netlink_delinearize.c:1945: binop_adjust_one: Assertion `value->len >= binop->right->len' failed. + +This is due to binop_adjust_one setting value->len to left->len, which +is shorther than right->len. + +Additionally, it does not seem correct to alter set elements from parsing a +rule, so remove that part all together. + +Conflict: Remove supplementary test cases +Reference: https://git.netfilter.org/nftables/commit?id=4dbfa17097512b6b88805299223f93e90a072ea6 + +Reported-by: Michael Braun +Signed-off-by: Pablo Neira Ayuso +--- + src/netlink_delinearize.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index 55bd0fd..ae6858d 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -2210,6 +2210,9 @@ static void __binop_adjust(const struct expr *binop, struct expr *right, + binop_adjust_one(binop, right, shift); + break; + case EXPR_SET_REF: ++ if (!set_is_anonymous(right->set->flags)) ++ break; ++ + list_for_each_entry(i, &right->set->init->expressions, list) { + switch (i->key->etype) { + case EXPR_VALUE: +-- +2.33.0 + diff --git a/backport-netlink_linearize-fix-timeout-with-map-updates.patch b/backport-netlink_linearize-fix-timeout-with-map-updates.patch new file mode 100644 index 0000000..5c060dd --- /dev/null +++ b/backport-netlink_linearize-fix-timeout-with-map-updates.patch @@ -0,0 +1,57 @@ +From 284c038ef4c69d042ef91272d90c143019ecea1f Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 12 Dec 2022 11:04:35 +0100 +Subject: [PATCH] netlink_linearize: fix timeout with map updates + +Map updates can use timeouts, just like with sets, but the +linearization step did not pass this info to the kernel. + +meta l4proto tcp update @pinned { ip saddr . ct original proto-src timeout 90s : ip daddr . tcp dport + +Listing this won't show the "timeout 90s" because kernel never saw it to +begin with. + +Also update evaluation step to reject a timeout that was set on +the data part: Timeouts are only allowed for the key-value pair +as a whole. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=284c038ef4c69d042ef91272d90c143019ecea1f + +Signed-off-by: Florian Westphal +--- + src/evaluate.c | 3 +++ + src/netlink_linearize.c | 4 ++++ + 2 files changed, 7 insertions(+) + +diff --git a/src/evaluate.c b/src/evaluate.c +index d0279e33..c04cb91d 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -3898,6 +3898,9 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) + if (stmt->map.data->comment != NULL) + return expr_error(ctx->msgs, stmt->map.data, + "Data expression comments are not supported"); ++ if (stmt->map.data->timeout > 0) ++ return expr_error(ctx->msgs, stmt->map.data, ++ "Data expression timeouts are not supported"); + + list_for_each_entry(this, &stmt->map.stmt_list, list) { + if (stmt_evaluate(ctx, this) < 0) +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index c8bbcb74..6de0a969 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -1520,6 +1520,10 @@ static void netlink_gen_map_stmt(struct netlink_linearize_ctx *ctx, + nftnl_expr_set_u32(nle, NFTNL_EXPR_DYNSET_SET_ID, set->handle.set_id); + nft_rule_add_expr(ctx, nle, &stmt->location); + ++ if (stmt->map.key->timeout > 0) ++ nftnl_expr_set_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT, ++ stmt->map.key->timeout); ++ + list_for_each_entry(this, &stmt->map.stmt_list, list) + num_stmts++; + +-- +2.23.0 diff --git a/backport-payload-do-not-kill-dependency-for-proto_unknown.patch b/backport-payload-do-not-kill-dependency-for-proto_unknown.patch new file mode 100644 index 0000000..bcc7b32 --- /dev/null +++ b/backport-payload-do-not-kill-dependency-for-proto_unknown.patch @@ -0,0 +1,50 @@ +From c8a3c669499d169fef8c1e89b8d2d909e5ecd023 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 31 Oct 2022 11:35:31 +0100 +Subject: [PATCH] payload: do not kill dependency for proto_unknown + +Unsupported meta match on layer 4 protocol sets on protocol context to +proto_unknown, handle anything coming after it as a raw expression in +payload_expr_expand(). + +Moreover, payload_dependency_kill() skips dependency removal if protocol +is unknown, so raw payload expression leaves meta layer 4 protocol +remains in place. + +Conflict: Remove supplementary test cases +Reference: https://git.netfilter.org/nftables/commit?id=c8a3c669499d169fef8c1e89b8d2d909e5ecd023 + +Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1641 +Signed-off-by: Pablo Neira Ayuso +--- + src/payload.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/src/payload.c b/src/payload.c +index 97b6071..ebd99c9 100644 +--- a/src/payload.c ++++ b/src/payload.c +@@ -755,7 +755,8 @@ static bool payload_may_dependency_kill(struct payload_dep_ctx *ctx, + void payload_dependency_kill(struct payload_dep_ctx *ctx, struct expr *expr, + unsigned int family) + { +- if (payload_dependency_exists(ctx, expr->payload.base) && ++ if (expr->payload.desc != &proto_unknown && ++ payload_dependency_exists(ctx, expr->payload.base) && + payload_may_dependency_kill(ctx, family, expr)) + payload_dependency_release(ctx); + } +@@ -926,8 +927,9 @@ void payload_expr_expand(struct list_head *list, struct expr *expr, + assert(expr->etype == EXPR_PAYLOAD); + + desc = ctx->protocol[expr->payload.base].desc; +- if (desc == NULL) ++ if (desc == NULL || desc == &proto_unknown) + goto raw; ++ + assert(desc->base == expr->payload.base); + + for (i = 1; i < array_size(desc->templates); i++) { +-- +2.33.0 + diff --git a/nftables.spec b/nftables.spec index 1e35832..ecab105 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 6 +Release: 7 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -21,6 +21,14 @@ Patch8: backport-evaluate-string-prefix-expression-must-retain-original- Patch9: backport-libnftables-release-top-level-scope.patch Patch10: backport-dump-locations-expressions-only-if-set.patch +Patch11: backport-evaluate-allow-implicit-ether-vlan-dep.patch +Patch12: backport-evaluate-datatype-memleak-after-binop-transfer.patch +Patch13: backport-evaluate-bogus-datatype-assertion-in-binary-operation-evaluation.patch +Patch14: backport-netlink_delinearize-do-not-transfer-binary-operation-to-non-anonymous-sets.patch +Patch15: backport-payload-do-not-kill-dependency-for-proto_unknown.patch +Patch16: backport-monitor-missing-cache-and-set-handle-initialization.patch +Patch17: backport-netlink_linearize-fix-timeout-with-map-updates.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -119,6 +127,18 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Tue Mar 21 2023 zhanghao - 1:1.0.0-7 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:evaluate allow implicit ether vlan dep +evaluate datatype memleak after binop transfer +evaluate bogus datatype assertion in binary operation evaluation +netlink delinearize do not transfer binary operation to non anonymous sets +payload do not kill dependency for proto unknown +monitor missing cache and set handle initialization +netlink linearize fix timeout with map updates + * Thu Dec 15 2022 huangyu - 1:1.0.0-6 - Type:bugfix - ID:NA