diff --git a/backport-evaluate-error-out-if-basetypes-are-different.patch b/backport-evaluate-error-out-if-basetypes-are-different.patch new file mode 100644 index 0000000000000000000000000000000000000000..16e38ed552c5c56353b9a42cfd768e068b338edc --- /dev/null +++ b/backport-evaluate-error-out-if-basetypes-are-different.patch @@ -0,0 +1,50 @@ +From 45a4d4434742b425d019623812f2cce293033cdf Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 18:30:51 +0100 +Subject: [PATCH] evaluate: error out if basetypes are different + +prefer +binop_with_different_basetype_assert:3:29-35: Error: Binary operation (<<) with different base types (string vs integer) is not supported +oifname set ip9dscp << 26 | 0x10 + ^^^^^^^~~~~~~ +to assertion failure. + +Signed-off-by: Florian Westphal +--- + src/evaluate.c | 7 +++++-- + .../bogons/nft-f/binop_with_different_basetype_assert | 5 +++++ + 2 files changed, 10 insertions(+), 2 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index b6670254..51ae276a 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1451,8 +1451,11 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr) + "for %s expressions", + sym, expr_name(right)); + +- /* The grammar guarantees this */ +- assert(datatype_equal(expr_basetype(left), expr_basetype(right))); ++ if (!datatype_equal(expr_basetype(left), expr_basetype(right))) ++ return expr_binary_error(ctx->msgs, left, op, ++ "Binary operation (%s) with different base types " ++ "(%s vs %s) is not supported", ++ sym, expr_basetype(left)->name, expr_basetype(right)->name); + + switch (op->op) { + case OP_LSHIFT: +diff --git a/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert +new file mode 100644 +index 00000000..e8436008 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/binop_with_different_basetype_assert +@@ -0,0 +1,5 @@ ++table ip t { ++ chain c { ++ oifname set ip9dscp << 26 | 0x10 ++ } ++} +-- +2.43.4 + diff --git a/backport-evaluate-guard-against-NULL-basetype.patch b/backport-evaluate-guard-against-NULL-basetype.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ed5d9f3bbed23f9b5b696a8addf7bcbf95f27bc --- /dev/null +++ b/backport-evaluate-guard-against-NULL-basetype.patch @@ -0,0 +1,37 @@ +From 3671c48970031e617ee713b79caf8ef0a1b096c2 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 18:18:07 +0100 +Subject: [PATCH] evaluate: guard against NULL basetype + +i->dtype->basetype can be NULL. + +Signed-off-by: Florian Westphal +--- + src/evaluate.c | 2 +- + tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash + +diff --git a/src/evaluate.c b/src/evaluate.c +index b6428018..b6670254 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1610,7 +1610,7 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) + return expr_error(ctx->msgs, i, + "List member must be a constant " + "value"); +- if (i->dtype->basetype->type != TYPE_BITMASK) ++ if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) + return expr_error(ctx->msgs, i, + "Basetype of type %s is not bitmask", + i->dtype->desc); +diff --git a/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash +new file mode 100644 +index 00000000..16d3e41f +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash +@@ -0,0 +1 @@ ++cPoR et ip dscp << 2>0 ,xl rt ipsec c0tt in tabl rt ipsec cl +-- +2.43.4 + diff --git a/backport-evaluate-handle-invalid-mapping-expressions-graceful.patch b/backport-evaluate-handle-invalid-mapping-expressions-graceful.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ce2720a0737299c5bd724231aae268d093b56b0 --- /dev/null +++ b/backport-evaluate-handle-invalid-mapping-expressions-graceful.patch @@ -0,0 +1,45 @@ +From 778e4e113673c2a4daa798634c554c40f2808276 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 17:47:50 +0100 +Subject: [PATCH] evaluate: handle invalid mapping expressions gracefully + +Before: +BUG: invalid mapping expression binop +nft: src/evaluate.c:2027: expr_evaluate_map: Assertion `0' failed. + +After: +tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert:1:22-25: Error: invalid mapping expression binop +xy mame ip saddr map h& p p + ~~~~~~~~ ^^^^ +Signed-off-by: Florian Westphal +--- + src/evaluate.c | 4 ++-- + .../testcases/bogons/nft-f/invalid_mapping_expr_binop_assert | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index 64deb31a..b6428018 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2024,8 +2024,8 @@ static int expr_evaluate_map(struct eval_ctx *ctx, struct expr **expr) + "Expression is not a map"); + break; + default: +- BUG("invalid mapping expression %s\n", +- expr_name(map->mappings)); ++ return expr_binary_error(ctx->msgs, map->mappings, map->map, ++ "invalid mapping expression %s", expr_name(map->mappings)); + } + + if (!datatype_equal(map->map->dtype, map->mappings->set->key->dtype)) +diff --git a/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert +new file mode 100644 +index 00000000..7205ff4f +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/invalid_mapping_expr_binop_assert +@@ -0,0 +1 @@ ++xy mame ip saddr map h& p p +-- +2.43.4 + diff --git a/backport-evaluate-reject-attempt-to-update-a-set.patch b/backport-evaluate-reject-attempt-to-update-a-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..38730e90ca029b0ade85423820bf741bc9feb93c --- /dev/null +++ b/backport-evaluate-reject-attempt-to-update-a-set.patch @@ -0,0 +1,54 @@ +From 5f43ea807bb0f5b30f332c2c96f13e33c9243d22 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 22:00:06 +0100 +Subject: [PATCH] evaluate: reject attempt to update a set + +This will crash as set->data is NULL, so check that SET_REF is pointing +to a map: + +Error: candidates_ipv4 is not a map +tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } + ~~~~~~~~~~~~~~~~ + +Signed-off-by: Florian Westphal +--- + src/evaluate.c | 4 ++++ + tests/shell/testcases/bogons/nft-f/add_to_a_set_crash | 11 +++++++++++ + 2 files changed, 15 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-f/add_to_a_set_crash + +diff --git a/src/evaluate.c b/src/evaluate.c +index 131b0a0e..f05cac41 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -4344,6 +4344,10 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) + return expr_error(ctx->msgs, stmt->map.set, + "Expression does not refer to a set"); + ++ if (!set_is_map(stmt->map.set->set->flags)) ++ return expr_error(ctx->msgs, stmt->map.set, ++ "%s is not a map", stmt->map.set->set->handle.set.name); ++ + if (stmt_evaluate_key(ctx, stmt, + stmt->map.set->set->key->dtype, + stmt->map.set->set->key->len, +diff --git a/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash +new file mode 100644 +index 00000000..80a01b45 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/add_to_a_set_crash +@@ -0,0 +1,11 @@ ++table t { ++ set candidates_ipv4 { ++ type ipv4_addr . inet_service ++ size 65535 ++ flags dynamic,timeout ++ } ++ ++ chain input { ++ tcp dport 10003 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 { ip saddr . 10 :0004 timeout 1s } ++ } ++} +-- +2.43.4 + diff --git a/backport-evaluate-release-mpz-type-in-expr_evaluate_list-erro.patch b/backport-evaluate-release-mpz-type-in-expr_evaluate_list-erro.patch new file mode 100644 index 0000000000000000000000000000000000000000..945478123af118ce2e6b7128a3be3d11de8f05c3 --- /dev/null +++ b/backport-evaluate-release-mpz-type-in-expr_evaluate_list-erro.patch @@ -0,0 +1,53 @@ +From 172b660843501463a0894b0d2ca1dd48c898dc4d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 11 Jan 2024 22:14:34 +0100 +Subject: [PATCH] evaluate: release mpz type in expr_evaluate_list() error path + +Detected when running: + + # nft -f tests/shell/testcases/bogons/nft-f/no_integer_basetype_crash + ==383222==ERROR: LeakSanitizer: detected memory leaks + + Direct leak of 8 byte(s) in 1 object(s) allocated from: + #0 0x7fe7b54a9e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 + #1 0x7fe7b538b9a9 in __gmp_default_allocate (/lib/x86_64-linux-gnu/libgmp.so.10+0xc9a9) + +Fixes: 3671c4897003 ("evaluate: guard against NULL basetype") +Signed-off-by: Pablo Neira Ayuso +--- + src/evaluate.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 6c29579f..3b366166 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1695,16 +1695,22 @@ static int expr_evaluate_list(struct eval_ctx *ctx, struct expr **expr) + + mpz_init_set_ui(val, 0); + list_for_each_entry_safe(i, next, &list->expressions, list) { +- if (list_member_evaluate(ctx, &i) < 0) ++ if (list_member_evaluate(ctx, &i) < 0) { ++ mpz_clear(val); + return -1; +- if (i->etype != EXPR_VALUE) ++ } ++ if (i->etype != EXPR_VALUE) { ++ mpz_clear(val); + return expr_error(ctx->msgs, i, + "List member must be a constant " + "value"); +- if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) ++ } ++ if (datatype_basetype(i->dtype)->type != TYPE_BITMASK) { ++ mpz_clear(val); + return expr_error(ctx->msgs, i, + "Basetype of type %s is not bitmask", + i->dtype->desc); ++ } + mpz_ior(val, val, i->value); + } + +-- +2.43.4 + diff --git a/backport-expression-missing-line-in-describe-command-with-inv.patch b/backport-expression-missing-line-in-describe-command-with-inv.patch new file mode 100644 index 0000000000000000000000000000000000000000..c5bff1e7dfb3d8c001ebeca0df0fec642b91778f --- /dev/null +++ b/backport-expression-missing-line-in-describe-command-with-inv.patch @@ -0,0 +1,42 @@ +From 2b24dd29c5fa1c7e4cf44f0753752d25106273a0 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Tue, 13 Feb 2024 17:09:20 +0100 +Subject: [PATCH] expression: missing line in describe command with invalid + expression + +Before: + + duh@testbed:~# nft describe blah + symbol expression, datatype invalid (invalid)duh@testbed:# + +After: + + duh@testbed:~# nft describe blah + symbol expression, datatype invalid (invalid) + duh@testbed:# + +Fixes: 48aca2de80a7 ("iptopt: fix crash with invalid field/type combo") +Signed-off-by: Pablo Neira Ayuso +--- + src/expression.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/expression.c b/src/expression.c +index dde48b6a..cb2573fe 100644 +--- a/src/expression.c ++++ b/src/expression.c +@@ -140,8 +140,10 @@ void expr_describe(const struct expr *expr, struct output_ctx *octx) + nft_print(octx, "%s expression, datatype %s (%s)", + expr_name(expr), dtype->name, dtype->desc); + +- if (dtype == &invalid_type) ++ if (dtype == &invalid_type) { ++ nft_print(octx, "\n"); + return; ++ } + } + + if (dtype->basetype != NULL) { +-- +2.43.4 + diff --git a/nftables.spec b/nftables.spec index 258ece1233c96e8512f49a64ed47135694760403..f9729f0ba296939db3ce261bfa549b8a5faf4ec3 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.8 -Release: 3 +Release: 4 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -48,6 +48,12 @@ Patch0036: backport-evaluate-error-out-when-expression-has-no-datatype.patc Patch0037: backport-evaluate-tproxy-move-range-error-checks-after-arg-ev.patch Patch0038: backport-evaluate-error-out-when-store-needs-more-than-one-12.patch Patch0039: backport-rule-fix-sym-refcount-assertion.patch +Patch0040: backport-evaluate-guard-against-NULL-basetype.patch +Patch0041: backport-evaluate-error-out-if-basetypes-are-different.patch +Patch0042: backport-evaluate-reject-attempt-to-update-a-set.patch +Patch0043: backport-evaluate-release-mpz-type-in-expr_evaluate_list-erro.patch +Patch0044: backport-expression-missing-line-in-describe-command-with-inv.patch +Patch0045: backport-evaluate-handle-invalid-mapping-expressions-graceful.patch BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel @@ -147,6 +153,17 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Mon Jun 24 2024 liweigang - 1:1.0.8-4 +- Type: bugfix +- CVE: NA +- SUG: NA +- DESC: evaluate: guard against NULL basetype +evaluate: error out if basetypes are different +evaluate: reject attempt to update a set +evaluate: release mpz type in expr_evaluate_list() error path +expression: missing line in describe command with invalid expression +evaluate: handle invalid mapping expressions in stateful object statements gracefully + * Fri Apr 19 2024 lingsheng - 1:1.0.8-3 - Type:bugfix - CVE:NA