diff --git a/backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch b/backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch new file mode 100644 index 0000000000000000000000000000000000000000..66afa1b25c9b60a876a468ce56ec4414a0e7ef7a --- /dev/null +++ b/backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch @@ -0,0 +1,39 @@ +From 0fe79458cb5ae36d838f0e5a5dc5cc6f332cac03 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 22 Dec 2022 11:23:00 +0100 +Subject: [PATCH] evaluate: fix shift exponent underflow in concatenation + evaluation + +There is an underflow of the index that iterates over the concatenation: + +../include/datatype.h:292:15: runtime error: shift exponent 4294967290 is too large for 32-bit type 'unsigned int' + +set the datatype to invalid which is fine to evaluate a concatenation +in a set/map statement. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=0fe79458cb5ae36d838f0e5a5dc5cc6f332cac03 + +Update b8e1940aa190 ("tests: add a test case for map update from packet +path with concat") so it does not need a workaround to work. + +--- + src/evaluate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 37d0bff..36ce38b 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1265,7 +1265,7 @@ static int expr_evaluate_concat(struct eval_ctx *ctx, struct expr **expr) + "expecting %s", + dtype->desc); + +- if (dtype == NULL) ++ if (dtype == NULL || off == 0) + tmp = datatype_lookup(TYPE_INVALID); + else + tmp = concat_subtype_lookup(type, --off); +-- +2.33.0 + diff --git a/backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch b/backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch new file mode 100644 index 0000000000000000000000000000000000000000..919caeab2a5ade67f0d53160fe50b1170b7ed77a --- /dev/null +++ b/backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch @@ -0,0 +1,48 @@ +From ef66f321e49b337c7e678bb90d6acb94f331dfc4 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 11 Jan 2023 12:28:15 +0100 +Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path + +Have to free the basehook object before returning to caller. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=ef66f321e49b337c7e678bb90d6acb94f331dfc4 + +Fixes: 4694f7230195b ("src: add support for base hook dumping") +Signed-off-by: Phil Sutter +--- + src/mnl.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/mnl.c b/src/mnl.c +index 62b0b59c..46d86f0f 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -2217,16 +2217,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data) + struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {}; + uint32_t type; + +- if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0) ++ if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], ++ dump_nf_chain_info_cb, nested) < 0) { ++ basehook_free(hook); + return -1; ++ } + + type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE])); + if (type == NFNL_HOOK_TYPE_NFTABLES) { + struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {}; + const char *tablename, *chainname; + +- if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0) ++ if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], ++ dump_nf_attr_chain_cb, ++ info) < 0) { ++ basehook_free(hook); + return -1; ++ } + + tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]); + chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]); +-- +2.23.0 diff --git a/backport-netlink-Fix-for-potential-NULL-pointer-deref.patch b/backport-netlink-Fix-for-potential-NULL-pointer-deref.patch new file mode 100644 index 0000000000000000000000000000000000000000..585081df02f45a9ea37ad1e773646cc8a08f3dc8 --- /dev/null +++ b/backport-netlink-Fix-for-potential-NULL-pointer-deref.patch @@ -0,0 +1,35 @@ +From 927d5674e7bf656428f97c54c9171006e8c3c75e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 10 Jan 2023 22:36:58 +0100 +Subject: [PATCH] netlink: Fix for potential NULL-pointer deref + +If memory allocation fails, calloc() returns NULL which was not checked +for. The code seems to expect zero array size though, so simply +replacing this call by one of the x*calloc() ones won't work. So guard +the call also by a check for 'len'. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=927d5674e7bf656428f97c54c9171006e8c3c75e + +Fixes: db0697ce7f602 ("src: support for flowtable listing") +Signed-off-by: Phil Sutter +--- + src/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index 51de9c9c..efae1251 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -1790,7 +1790,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, + while (dev_array[len]) + len++; + +- flowtable->dev_array = calloc(1, len * sizeof(char *)); ++ if (len) ++ flowtable->dev_array = xmalloc(len * sizeof(char *)); + for (i = 0; i < len; i++) + flowtable->dev_array[i] = xstrdup(dev_array[i]); + +-- +2.23.0 diff --git a/backport-owner-Fix-potential-array-out-of-bounds-access.patch b/backport-owner-Fix-potential-array-out-of-bounds-access.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c4181330f87c76e9a22cc128af8636b19512603 --- /dev/null +++ b/backport-owner-Fix-potential-array-out-of-bounds-access.patch @@ -0,0 +1,35 @@ +From 9967911e3dabb32901617e81e56602af3b37287f Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 21 Dec 2022 17:37:46 +0100 +Subject: [PATCH] owner: Fix potential array out of bounds access + +If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will +return 'sizeof(tmp)'. Using this value as index is illegal. + +Original update from Phil, for the conntrack-tools tree, which also has +a copy of this function. + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit?id=9967911e3dabb32901617e81e56602af3b37287f + +Fixes: 6d085b22a8b5 ("table: support for the table owner flag") +Signed-off-by: Pablo Neira Ayuso +--- + src/owner.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/owner.c b/src/owner.c +index 2d98a2e9..20bed38b 100644 +--- a/src/owner.c ++++ b/src/owner.c +@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode) + continue; + + rl = readlink(procname, tmp, sizeof(tmp)); +- if (rl <= 0 || rl > (ssize_t)sizeof(tmp)) ++ if (rl <= 0 || rl >= (ssize_t)sizeof(tmp)) + continue; + + tmp[rl] = 0; +-- +2.23.0 diff --git a/nftables.spec b/nftables.spec index ecab10581e03862456f0795218ece0e3a81cef40..0334f045c4d279e3f3587611ecea992373c8d330 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 7 +Release: 8 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -29,6 +29,11 @@ Patch15: backport-payload-do-not-kill-dependency-for-proto_unknown.patch Patch16: backport-monitor-missing-cache-and-set-handle-initialization.patch Patch17: backport-netlink_linearize-fix-timeout-with-map-updates.patch +Patch18: backport-owner-Fix-potential-array-out-of-bounds-access.patch +Patch19: backport-evaluate-fix-shift-exponent-underflow-in-concatenation-evaluation.patch +Patch20: backport-netlink-Fix-for-potential-NULL-pointer-deref.patch +Patch21: backport-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -127,6 +132,15 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Thu Apr 06 2023 zhanghao - 1:1.0.0-8 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:Fix potential array out of bounds access +evaluate: fix shift exponent underflow in concatenation evaluation +netlink: Fix for potential NULL-pointer deref +mnl: dump_nf_hooks() leaks memory in error path + * Tue Mar 21 2023 zhanghao - 1:1.0.0-7 - Type:bugfix - CVE:NA