!57 [sync] PR-56: nftables: fix some patches from commity

From: @openeuler-sync-bot Reviewed-by: @seuzw Signed-off-by: @seuzw
2023-04-06 07:41:12 +00:00 · 2023-04-06 07:41:12 +00:00 · c5ea13ed97
commit c5ea13ed97
parent 568f36fe17 dba9b0e264
5 changed files with 172 additions and 1 deletions
--- a/backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch
+++ b/backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch
@ -0,0 +1,39 @@
+From 0fe79458cb5ae36d838f0e5a5dc5cc6f332cac03 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 22 Dec 2022 11:23:00 +0100
+Subject: [PATCH] evaluate: fix shift exponent underflow in concatenation
+ evaluation
+
+There is an underflow of the index that iterates over the concatenation:
+
+../include/datatype.h:292:15: runtime error: shift exponent 4294967290 is too large for 32-bit type 'unsigned int'
+
+set the datatype to invalid which is fine to evaluate a concatenation
+in a set/map statement.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=0fe79458cb5ae36d838f0e5a5dc5cc6f332cac03
+
+Update b8e1940aa190 ("tests: add a test case for map update from packet
+path with concat") so it does not need a workaround to work.
+
+---
+ src/evaluate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/evaluate.c b/src/evaluate.c
+index 37d0bff..36ce38b 100644
+--- a/src/evaluate.c
+++ b/src/evaluate.c
+@@ -1265,7 +1265,7 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr)
+ 						 "expecting %s",
+ 						 dtype->desc);
+ 
+-		if (dtype == NULL)
+		if (dtype == NULL || off == 0)
+ 			tmp = datatype_lookup(TYPE_INVALID);
+ 		else
+ 			tmp = concat_subtype_lookup(type, --off);
+-- 
+2.33.0
+
--- a/backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch
+++ b/backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch
@ -0,0 +1,48 @@
+From ef66f321e49b337c7e678bb90d6acb94f331dfc4 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Wed, 11 Jan 2023 12:28:15 +0100
+Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path
+
+Have to free the basehook object before returning to caller.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=ef66f321e49b337c7e678bb90d6acb94f331dfc4
+
+Fixes: 4694f7230195b ("src: add support for base hook dumping")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ src/mnl.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/mnl.c b/src/mnl.c
+index 62b0b59c..46d86f0f 100644
+--- a/src/mnl.c
+++ b/src/mnl.c
+@@ -2217,16 +2217,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data)
+ 		struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {};
+ 		uint32_t type;
+ 
+-		if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0)
+		if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO],
+					  dump_nf_chain_info_cb, nested) < 0) {
+			basehook_free(hook);
+ 			return -1;
+		}
+ 
+ 		type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE]));
+ 		if (type == NFNL_HOOK_TYPE_NFTABLES) {
+ 			struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {};
+ 			const char *tablename, *chainname;
+ 
+-			if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0)
+			if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC],
+						  dump_nf_attr_chain_cb,
+						  info) < 0) {
+				basehook_free(hook);
+ 				return -1;
+			}
+ 
+ 			tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]);
+ 			chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]);
+-- 
+2.23.0
--- a/backport-netlink-Fix-for-potential-NULL-pointer-deref.patch
+++ b/backport-netlink-Fix-for-potential-NULL-pointer-deref.patch
@ -0,0 +1,35 @@
+From 927d5674e7bf656428f97c54c9171006e8c3c75e Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 10 Jan 2023 22:36:58 +0100
+Subject: [PATCH] netlink: Fix for potential NULL-pointer deref
+
+If memory allocation fails, calloc() returns NULL which was not checked
+for. The code seems to expect zero array size though, so simply
+replacing this call by one of the x*calloc() ones won't work. So guard
+the call also by a check for 'len'.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=927d5674e7bf656428f97c54c9171006e8c3c75e
+
+Fixes: db0697ce7f602 ("src: support for flowtable listing")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ src/netlink.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/netlink.c b/src/netlink.c
+index 51de9c9c..efae1251 100644
+--- a/src/netlink.c
+++ b/src/netlink.c
+@@ -1790,7 +1790,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
+ 	while (dev_array[len])
+ 		len++;
+ 
+-	flowtable->dev_array = calloc(1, len * sizeof(char *));
+	if (len)
+		flowtable->dev_array = xmalloc(len * sizeof(char *));
+ 	for (i = 0; i < len; i++)
+ 		flowtable->dev_array[i] = xstrdup(dev_array[i]);
+ 
+-- 
+2.23.0
--- a/backport-owner-Fix-potential-array-out-of-bounds-access.patch
+++ b/backport-owner-Fix-potential-array-out-of-bounds-access.patch
@ -0,0 +1,35 @@
+From 9967911e3dabb32901617e81e56602af3b37287f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 21 Dec 2022 17:37:46 +0100
+Subject: [PATCH] owner: Fix potential array out of bounds access
+
+If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will
+return 'sizeof(tmp)'. Using this value as index is illegal.
+
+Original update from Phil, for the conntrack-tools tree, which also has
+a copy of this function.
+
+Conflict: NA
+Reference: https://git.netfilter.org/nftables/commit?id=9967911e3dabb32901617e81e56602af3b37287f
+
+Fixes: 6d085b22a8b5 ("table: support for the table owner flag")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ src/owner.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/owner.c b/src/owner.c
+index 2d98a2e9..20bed38b 100644
+--- a/src/owner.c
+++ b/src/owner.c
+@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode)
+ 			continue;
+ 
+ 		rl = readlink(procname, tmp, sizeof(tmp));
+-		if (rl <= 0 || rl > (ssize_t)sizeof(tmp))
+		if (rl <= 0 || rl >= (ssize_t)sizeof(tmp))
+ 			continue;
+ 
+ 		tmp[rl] = 0;
+-- 
+2.23.0
--- a/nftables.spec
+++ b/nftables.spec
@ -1,6 +1,6 @@
 Name:           nftables
 Version:        1.0.0
-Release:        7
+Release:        8
 Epoch:          1
 Summary:        A subsystem of the Linux kernel processing network data
 License:        GPLv2
@ -29,6 +29,11 @@ Patch15:        backport-payload-do-not-kill-dependency-for-proto_unknown.patch
 Patch16:        backport-monitor-missing-cache-and-set-handle-initialization.patch
 Patch17:        backport-netlink_linearize-fix-timeout-with-map-updates.patch

+Patch18:        backport-owner-Fix-potential-array-out-of-bounds-access.patch
+Patch19:        backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch
+Patch20:        backport-netlink-Fix-for-potential-NULL-pointer-deref.patch
+Patch21:        backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch
+
 BuildRequires:  gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd
 BuildRequires:  iptables-devel jansson-devel python3-devel
 BuildRequires:  chrpath
@ -127,6 +132,15 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf
 %{python3_sitelib}/nftables/

 %changelog
+* Thu Apr 06 2023 zhanghao <zhanghao383@huawei.com> - 1:1.0.0-8
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:Fix potential array out of bounds access
+evaluate: fix shift exponent underflow in concatenation evaluation
+netlink: Fix for potential NULL-pointer deref
+mnl: dump_nf_hooks() leaks memory in error path
+
 * Tue Mar 21 2023 zhanghao <zhanghao383@huawei.com> - 1:1.0.0-7
 - Type:bugfix
 - CVE:NA