From 07634d79d52b92f4d5d10cfadfa2bbfb1411411e Mon Sep 17 00:00:00 2001 From: eaglegai Date: Wed, 26 Jun 2024 03:08:23 +0000 Subject: [PATCH] backport upstream patches --- ...error-out-if-basetypes-are-different.patch | 52 +++++++++++++++++ ...evaluate-guard-against-NULL-basetype.patch | 39 +++++++++++++ ...valid-mapping-expressions-gracefully.patch | 47 ++++++++++++++++ ...luate-reject-attempt-to-update-a-set.patch | 56 +++++++++++++++++++ ...ype-in-expr_evaluate_list-error-path.patch | 55 ++++++++++++++++++ ...ribe-command-with-invalid-expression.patch | 43 ++++++++++++++ nftables.spec | 21 ++++++- 7 files changed, 312 insertions(+), 1 deletion(-) create mode 100644 backport-evaluate-error-out-if-basetypes-are-different.patch create mode 100644 backport-evaluate-guard-against-NULL-basetype.patch create mode 100644 backport-evaluate-handle-invalid-mapping-expressions-gracefully.patch create mode 100644 backport-evaluate-reject-attempt-to-update-a-set.patch create mode 100644 backport-evaluate-release-mpz-type-in-expr_evaluate_list-error-path.patch create mode 100644 backport-expression-missing-line-in-describe-command-with-invalid-expression.patch diff --git a/backport-evaluate-error-out-if-basetypes-are-different.patch b/backport-evaluate-error-out-if-basetypes-are-different.patch new file mode 100644 index 0000000..959518f --- /dev/null +++ b/backport-evaluate-error-out-if-basetypes-are-different.patch @@ -0,0 +1,52 @@ +From 45a4d4434742b425d019623812f2cce293033cdf Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 18:30:51 +0100 +Subject: evaluate: error out if basetypes are different + +prefer +binop_with_different_basetype_assert:3:29-35: Error: Binary operation (<<) with different base types (string vs integer) is not supported +oifname set ip9dscp << 26 | 0x10 + ^^^^^^^~~~~~~ +to assertion failure. + +Signed-off-by: Florian Westphal + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit/?id=45a4d4434742b425d019623812f2cce293033cdf +--- + src/evaluate.c | 7 +++++-- + .../testcases/bogons/nft-f/binop_with_different_basetype_assert | 5 +++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index b6670254..51ae276a 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1451,8 +1451,11 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr) + "for %s expressions", + sym, expr_name(right)); + +- /* The grammar guarantees this */ +- assert(datatype_equal(expr_basetype(left), expr_basetype(right))); ++ if (!datatype_equal(expr_basetype(left), expr_basetype(right))) ++ return expr_binary_error(ctx->msgs, left, op, ++ "Binary operation (%s) with different base types " ++ "(%s vs %s) is not supported", ++ sym, expr_basetype(left)->name, expr_basetype(right)->name); + + switch (op->op) { + case OP_LSHIFT: +diff --git a/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert +new file mode 100644 +index 00000000..e8436008 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert +@@ -0,0 +1,5 @@ ++table ip t { ++ chain c { ++ oifname set ip9dscp << 26 | 0x10 ++ } ++} +-- +cgit v1.2.3 diff --git a/backport-evaluate-guard-against-NULL-basetype.patch b/backport-evaluate-guard-against-NULL-basetype.patch new file mode 100644 index 0000000..1f11e52 --- /dev/null +++ b/backport-evaluate-guard-against-NULL-basetype.patch @@ -0,0 +1,39 @@ +From 3671c48970031e617ee713b79caf8ef0a1b096c2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 18:18:07 +0100 +Subject: evaluate: guard against NULL basetype + +i->dtype->basetype can be NULL. + +Signed-off-by: Florian Westphal + +Conflict: NA +Reference:https://git.netfilter.org/nftables/commit/?id=3671c48970031e617ee713b79caf8ef0a1b096c2 +--- + src/evaluate.c | 2 +- + tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash + +diff --git a/src/evaluate.c b/src/evaluate.c +index b6428018..b6670254 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1610,7 +1610,7 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) + return expr_error(ctx->msgs, i, + "List member must be a constant " + "value"); +- if (i->dtype->basetype->type != TYPE_BITMASK) ++ if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) + return expr_error(ctx->msgs, i, + "Basetype of type %s is not bitmask", + i->dtype->desc); +diff --git a/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash +new file mode 100644 +index 00000000..16d3e41f +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash +@@ -0,0 +1 @@ ++cPoR et ip dscp << 2>0 ,xl rt ipsec c0tt in tabl rt ipsec cl +-- +cgit v1.2.3 diff --git a/backport-evaluate-handle-invalid-mapping-expressions-gracefully.patch b/backport-evaluate-handle-invalid-mapping-expressions-gracefully.patch new file mode 100644 index 0000000..ec477b7 --- /dev/null +++ b/backport-evaluate-handle-invalid-mapping-expressions-gracefully.patch @@ -0,0 +1,47 @@ +From 778e4e113673c2a4daa798634c554c40f2808276 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 17:47:50 +0100 +Subject: evaluate: handle invalid mapping expressions gracefully + +Before: +BUG: invalid mapping expression binop +nft: src/evaluate.c:2027: expr_evaluate_map: Assertion `0' failed. + +After: +tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert:1:22-25: Error: invalid mapping expression binop +xy mame ip saddr map h& p p + ~~~~~~~~ ^^^^ +Signed-off-by: Florian Westphal + +Conflict: evaluate.c change the context +Reference:https://git.netfilter.org/nftables/commit/?id=778e4e113673c2a4daa798634c554c40f2808276 +--- + src/evaluate.c | 4 ++-- + tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index 64deb31a..b6428018 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2024,8 +2024,8 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) + "Expression is not a map"); + break; + default: +- BUG("invalid mapping expression %s\n", +- expr_name(map->mappings)); ++ return expr_binary_error(ctx->msgs, map->mappings, map->map, ++ "invalid mapping expression %s", expr_name(map->mappings)); + } + + if (!datatype_equal(map->map->dtype, map->mappings->set->key->dtype)) +diff --git a/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert +new file mode 100644 +index 00000000..7205ff4f +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert +@@ -0,0 +1 @@ ++xy mame ip saddr map h& p p +-- +cgit v1.2.3 diff --git a/backport-evaluate-reject-attempt-to-update-a-set.patch b/backport-evaluate-reject-attempt-to-update-a-set.patch new file mode 100644 index 0000000..8bb4700 --- /dev/null +++ b/backport-evaluate-reject-attempt-to-update-a-set.patch @@ -0,0 +1,56 @@ +From 5f43ea807bb0f5b30f332c2c96f13e33c9243d22 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 22:00:06 +0100 +Subject: evaluate: reject attempt to update a set + +This will crash as set->data is NULL, so check that SET_REF is pointing +to a map: + +Error: candidates_ipv4 is not a map +tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } + ~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Westphal + +Conflict: evaluate.c change the context +Reference: https://git.netfilter.org/nftables/commit/?id=5f43ea807bb0f5b30f332c2c96f13e33c9243d22 +--- + src/evaluate.c | 4 ++++ + tests/shell/testcases/bogons/nft-f/add_to_a_set_crash | 11 +++++++++++ + 2 files changed, 15 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-f/add_to_a_set_crash + +diff --git a/src/evaluate.c b/src/evaluate.c +index 131b0a0e..f05cac41 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -4344,6 +4344,10 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) + return expr_error(ctx->msgs, stmt->map.set, + "Expression does not refer to a set"); + ++ if (!set_is_map(stmt->map.set->set->flags)) ++ return expr_error(ctx->msgs, stmt->map.set, ++ "%s is not a map", stmt->map.set->set->handle.set.name); ++ + if (stmt_evaluate_arg(ctx, stmt, + stmt->map.set->set->key->dtype, + stmt->map.set->set->key->len, +diff --git a/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash +new file mode 100644 +index 00000000..80a01b45 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash +@@ -0,0 +1,11 @@ ++table t { ++ set candidates_ipv4 { ++ type ipv4_addr . inet_service ++ size 65535 ++ flags dynamic,timeout ++ } ++ ++ chain input { ++ tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } ++ } ++} +-- +cgit v1.2.3 diff --git a/backport-evaluate-release-mpz-type-in-expr_evaluate_list-error-path.patch b/backport-evaluate-release-mpz-type-in-expr_evaluate_list-error-path.patch new file mode 100644 index 0000000..d4bbc15 --- /dev/null +++ b/backport-evaluate-release-mpz-type-in-expr_evaluate_list-error-path.patch @@ -0,0 +1,55 @@ +From 172b660843501463a0894b0d2ca1dd48c898dc4d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 11 Jan 2024 22:14:34 +0100 +Subject: evaluate: release mpz type in expr_evaluate_list() error path + +Detected when running: + + # nft -f tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash + ==383222==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 8 byte(s) in 1 object(s) allocated from: + #0 0x7fe7b54a9e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 + #1 0x7fe7b538b9a9 in __gmp_default_allocate (/lib/x86_64-linux-gnu/libgmp.so.10+0xc9a9) + +Fixes: 3671c4897003 ("evaluate: guard against NULL basetype") +Signed-off-by: Pablo Neira Ayuso + +Conflict: NA +Reference: https://git.netfilter.org/nftables/commit/?id=172b660843501463a0894b0d2ca1dd48c898dc4d +--- + src/evaluate.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 6c29579f..3b366166 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1695,16 +1695,22 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) + + mpz_init_set_ui(val, 0); + list_for_each_entry_safe(i, next, &list->expressions, list) { +- if (list_member_evaluate(ctx, &i) < 0) ++ if (list_member_evaluate(ctx, &i) < 0) { ++ mpz_clear(val); + return -1; +- if (i->etype != EXPR_VALUE) ++ } ++ if (i->etype != EXPR_VALUE) { ++ mpz_clear(val); + return expr_error(ctx->msgs, i, + "List member must be a constant " + "value"); +- if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) ++ } ++ if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) { ++ mpz_clear(val); + return expr_error(ctx->msgs, i, + "Basetype of type %s is not bitmask", + i->dtype->desc); ++ } + mpz_ior(val, val, i->value); + } + +-- +cgit v1.2.3 diff --git a/backport-expression-missing-line-in-describe-command-with-invalid-expression.patch b/backport-expression-missing-line-in-describe-command-with-invalid-expression.patch new file mode 100644 index 0000000..aeeee7f --- /dev/null +++ b/backport-expression-missing-line-in-describe-command-with-invalid-expression.patch @@ -0,0 +1,43 @@ +From 2b24dd29c5fa1c7e4cf44f0753752d25106273a0 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 13 Feb 2024 17:09:20 +0100 +Subject: expression: missing line in describe command with invalid expression + +Before: + + duh@testbed:~# nft describe blah + symbol expression, datatype invalid (invalid)duh@testbed:# + +After: + + duh@testbed:~# nft describe blah + symbol expression, datatype invalid (invalid) + duh@testbed:# + +Fixes: 48aca2de80a7 ("iptopt: fix crash with invalid field/type combo") +Signed-off-by: Pablo Neira Ayuso + +Conflict: NA +Reference:https://git.netfilter.org/nftables/commit/?id=2b24dd29c5fa1c7e4cf44f0753752d25106273a0 +--- + src/expression.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/expression.c b/src/expression.c +index dde48b6a..cb2573fe 100644 +--- a/src/expression.c ++++ b/src/expression.c +@@ -140,8 +140,10 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx) + } else { + nft_print(octx, "%s expression, datatype %s (%s)", + expr_name(expr), dtype->name, dtype->desc); +- if (dtype == &invalid_type) ++ if (dtype == &invalid_type) { ++ nft_print(octx, "\n"); + return; ++ } + } + + if (dtype->basetype != NULL) { +-- +cgit v1.2.3 diff --git a/nftables.spec b/nftables.spec index 288ce45..18536cc 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 10 +Release: 11 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -75,6 +75,13 @@ Patch59: backport-evaluate-tproxy-move-range-error-checks-after-arg-ev.pa Patch60: backport-evaluate-error-out-when-store-needs-more-than-one-12.patch Patch61: backport-rule-fix-sym-refcount-assertion.patch +Patch62: backport-evaluate-handle-invalid-mapping-expressions-gracefully.patch +Patch63: backport-evaluate-error-out-if-basetypes-are-different.patch +Patch64: backport-evaluate-reject-attempt-to-update-a-set.patch +Patch65: backport-evaluate-guard-against-NULL-basetype.patch +Patch66: backport-evaluate-release-mpz-type-in-expr_evaluate_list-error-path.patch +Patch67: backport-expression-missing-line-in-describe-command-with-invalid-expression.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -173,6 +180,18 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Wed Jun 26 2024 gaihuiying - 1:1.0.0-11 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + evaluate: error out if basetypes are different + evaluate: guard against NULL basetype + evaluate: handle invalid mapping expressions gracefully + evaluate: reject attempt to update a set + evaluate: release mpz type in expr_evaluate_list() error path + expression: missing line in describe command with invalid expression + Thu Apr 18 2024 lingsheng - 1:1.0.0-10 - Type:bugfix - CVE:NA -- Gitee