diff --git a/backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch b/backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d71d0f1061bf850d4e023f4d52dca71dc3ea852 --- /dev/null +++ b/backport-evaluate-Fix-incorrect-checking-the-base-variable-in-case-of-IPV6.patch @@ -0,0 +1,32 @@ +From f6b579344eee17e5587b6a7fcc444fe997cd8cb6 Mon Sep 17 00:00:00 2001 +From: Maks Mishin +Date: Wed, 15 May 2024 23:25:03 +0300 +Subject: evaluate: Fix incorrect checking the `base` variable in case of IPV6 + +Found by RASU JSC. + +Fixes: 2b29ea5f3c3e ("src: ct: add eval part to inject dependencies for ct saddr/daddr") +Signed-off-by: Maks Mishin +Signed-off-by: Pablo Neira Ayuso + +Conflict:change evaluate.c context +Reference:https://git.netfilter.org/nftables/commit/?id=f6b579344eee17e5587b6a7fcc444fe997cd8cb6 +--- + src/evaluate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 8ab0c9e2..227f5da8 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1126,7 +1126,7 @@ static int ct_gen_nh_dependency(struct eval_ctx *ctx, struct expr *ct) + base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + if (base == &proto_ip) + ct->ct.nfproto = NFPROTO_IPV4; +- else if (base == &proto_ip) ++ else if (base == &proto_ip6) + ct->ct.nfproto = NFPROTO_IPV6; + + if (base) +-- +cgit v1.2.3 diff --git a/backport-evaluate-disable-meta-set-with-ranges.patch b/backport-evaluate-disable-meta-set-with-ranges.patch new file mode 100644 index 0000000000000000000000000000000000000000..6bcda91fdc4ddbe4d02119f92c6171e8a8bb7d75 --- /dev/null +++ b/backport-evaluate-disable-meta-set-with-ranges.patch @@ -0,0 +1,76 @@ +From d99b44adc5cfc455fdafd9b4bdabd413edf9a38a Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 4 Dec 2023 19:04:58 +0100 +Subject: evaluate: disable meta set with ranges + +... this will cause an assertion in netlink linearization, catch this +at eval stage instead. + +before: +BUG: unknown expression type range +nft: netlink_linearize.c:908: netlink_gen_expr: Assertion `0' failed. + +after: +/unknown_expr_type_range_assert:3:31-40: Error: Meta expression cannot be a range +meta mark set 0x001-3434 + ^^^^^^^^^^ + +Signed-off-by: Florian Westphal + +Conflict: change evaluate.c to set ret +Reference:https://git.netfilter.org/nftables/commit/?id=d99b44adc5cfc455fdafd9b4bdabd413edf9a38a +--- + src/evaluate.c | 13 +++++++++++++ + .../testcases/bogons/nft-f/unknown_expr_type_range_assert | 5 +++++ + 2 files changed, 25 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index ec8e05f..1d3b142 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2725,11 +2725,26 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) + + static int stmt_evaluate_meta(struct eval_ctx *ctx, struct stmt *stmt) + { +- return stmt_evaluate_arg(ctx, stmt, +- stmt->meta.tmpl->dtype, +- stmt->meta.tmpl->len, +- stmt->meta.tmpl->byteorder, +- &stmt->meta.expr); ++ int ret; ++ ret = stmt_evaluate_arg(ctx, stmt, ++ stmt->meta.tmpl->dtype, ++ stmt->meta.tmpl->len, ++ stmt->meta.tmpl->byteorder, ++ &stmt->meta.expr); ++ if (ret < 0) ++ return ret; ++ ++ switch (stmt->meta.expr->etype) { ++ case EXPR_RANGE: ++ ret = expr_error(ctx->msgs, stmt->meta.expr, ++ "Meta expression cannot be a range"); ++ break; ++ default: ++ break; ++ ++ } ++ ++ return ret; + } + + static int stmt_evaluate_ct(struct eval_ctx *ctx, struct stmt *stmt) +diff --git a/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert +new file mode 100644 +index 00000000..234dd623 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/unknown_expr_type_range_assert +@@ -0,0 +1,5 @@ ++table ip x { ++ chain k { ++ meta mark set 0x001-3434 ++ } ++} +-- +cgit v1.2.3 diff --git a/backport-evaluate-fix-stack-overflow-with-huge-priority-string.patch b/backport-evaluate-fix-stack-overflow-with-huge-priority-string.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2438c0ce67a375ce12e9ed83a13188de831d712 --- /dev/null +++ b/backport-evaluate-fix-stack-overflow-with-huge-priority-string.patch @@ -0,0 +1,46 @@ +From b626c86abaf294fcf1ec788f722071dc90da68c4 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 15 Dec 2023 10:19:02 +0100 +Subject: [PATCH] evaluate: fix stack overflow with huge priority string + +Alternative would be to refactor this and move this into the parsers +(bison, json) instead of this hidden re-parsing. + +Fixes: 627c451b2351 ("src: allow variables in the chain priority specification") +Signed-off-by: Florian Westphal + +Conflict: NA +Reference:https://git.netfilter.org/nftables/commit/?id=b626c86abaf294fcf1ec788f722071dc90da68c4 +--- + src/evaluate.c | 2 +- + tests/shell/testcases/bogons/nft-f/huge_chain_prio | 5 +++++ + 2 files changed, 6 insertions(+), 1 deletion(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/huge_chain_prio + +diff --git a/src/evaluate.c b/src/evaluate.c +index 87cd68d3..5ddbde42 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -4897,7 +4897,7 @@ static bool evaluate_priority(struct eval_ctx *ctx, struct prio_spec *prio, + NFT_NAME_MAXLEN); + loc = prio->expr->location; + +- if (sscanf(prio_str, "%s %c %d", prio_fst, &op, &prio_snd) < 3) { ++ if (sscanf(prio_str, "%255s %c %d", prio_fst, &op, &prio_snd) < 3) { + priority = std_prio_lookup(prio_str, family, hook); + if (priority == NF_IP_PRI_LAST) + return false; +diff --git a/tests/shell/testcases/bogons/nft-f/huge_chain_prio b/tests/shell/testcases/bogons/nft-f/huge_chain_prio +new file mode 100644 +index 00000000..41f8061a +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/huge_chain_prio +@@ -0,0 +1,5 @@ ++table t { ++ chain c { ++ type filter hook input priority srcnDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD#DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD; policy accept; ++ } ++} +-- +2.33.0 + diff --git a/backport-evaluate-handle-invalid-mapping-expressions-in-stateful-object-statements-gracefully.patch b/backport-evaluate-handle-invalid-mapping-expressions-in-stateful-object-statements-gracefully.patch new file mode 100644 index 0000000000000000000000000000000000000000..c2d04598396462f3b275197706af0c3daaa8e8d8 --- /dev/null +++ b/backport-evaluate-handle-invalid-mapping-expressions-in-stateful-object-statements-gracefully.patch @@ -0,0 +1,45 @@ +From 52a7af9bec15a4fb4bfea86e40b70f96098f7dfd Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Mon, 29 Apr 2024 20:27:52 +0100 +Subject: evaluate: handle invalid mapping expressions in stateful object + statements gracefully. + +Currently, they are reported as assertion failures: + + BUG: invalid mapping expression variable + nft: src/evaluate.c:4618: stmt_evaluate_objref_map: Assertion `0' failed. + Aborted + +Instead, report them more informatively as errors: + + /space/azazel/tmp/ruleset.1067161.nft:15:29-38: Error: invalid mapping expression variable + quota name ip saddr map $quota_map + ~~~~~~~~ ^^^^^^^^^^ + +Signed-off-by: Jeremy Sowden +Signed-off-by: Pablo Neira Ayuso + +Conflict:change evaluate.c context +Reference:https://git.netfilter.org/nftables/commit/?id=52a7af9bec15a4fb4bfea86e40b70f96098f7dfd +--- + src/evaluate.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 1682ba58..f28ef2aa 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -4615,8 +4615,9 @@ static int stmt_evaluate_objref_map(struct eval_ctx *ctx, struct stmt *stmt) + "Expression is not a map with objects"); + break; + default: +- BUG("invalid mapping expression %s\n", +- expr_name(map->mappings)); ++ return expr_binary_error(ctx->msgs, map->mappings, map->map, ++ "invalid mapping expression %s", ++ expr_name(map->mappings)); + } + + if (!datatype_equal(map->map->dtype, map->mappings->set->key->dtype)) +-- +cgit v1.2.3 diff --git a/backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch b/backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch new file mode 100644 index 0000000000000000000000000000000000000000..6ca0f7599d92d6a78b9fa1b491b26cf3dbb552de --- /dev/null +++ b/backport-netlink-reset-temporary-set-element-stmt-list-after-list-splice.patch @@ -0,0 +1,77 @@ +From 0693edb9eb01fa5a479dcca7d30b06f52806d22a Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 16 Sep 2021 13:51:23 +0200 +Subject: [PATCH] netlink: reset temporary set element stmt list after list + splice + +Reset temporary stmt list to deal with the key_end case which might +result in a jump backward to handle the rhs of the interval. + +Reported-by: Martin Zatloukal +Signed-off-by: Pablo Neira Ayuso + +Conflict: NA +Reference:https://git.netfilter.org/nftables/commit/?id=0693edb9eb01fa5a479dcca7d30b06f52806d22a +--- + src/netlink.c | 2 +- + tests/shell/testcases/maps/0013map_0 | 14 ++++++++++++++ + tests/shell/testcases/maps/dumps/0013map_0.nft | 13 +++++++++++++ + 3 files changed, 28 insertions(+), 1 deletion(-) + create mode 100755 tests/shell/testcases/maps/0013map_0 + create mode 100644 tests/shell/testcases/maps/dumps/0013map_0.nft + +diff --git a/src/netlink.c b/src/netlink.c +index 9a0d96f0..28a5514a 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -1324,7 +1324,7 @@ key_end: + nftnl_set_elem_expr_foreach(nlse, set_elem_parse_expressions, + &setelem_parse_ctx); + } +- list_splice_tail(&setelem_parse_ctx.stmt_list, &expr->stmt_list); ++ list_splice_tail_init(&setelem_parse_ctx.stmt_list, &expr->stmt_list); + + if (flags & NFT_SET_ELEM_INTERVAL_END) { + expr->flags |= EXPR_F_INTERVAL_END; +diff --git a/tests/shell/testcases/maps/0013map_0 b/tests/shell/testcases/maps/0013map_0 +new file mode 100755 +index 00000000..70d7fd3b +--- /dev/null ++++ b/tests/shell/testcases/maps/0013map_0 +@@ -0,0 +1,14 @@ ++#!/bin/bash ++ ++set -e ++ ++RULESET=" ++flush ruleset ++ ++add table ip filter ++add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; } ++add map ip filter forwport { type ipv4_addr . inet_proto . inet_service: verdict; flags interval; counter; } ++add rule ip filter FORWARD iifname enp0s8 ip daddr . ip protocol . th dport vmap @forwport counter ++add element ip filter forwport { 10.133.89.138 . tcp . 8081: accept }" ++ ++$NFT -f - <<< "$RULESET" +diff --git a/tests/shell/testcases/maps/dumps/0013map_0.nft b/tests/shell/testcases/maps/dumps/0013map_0.nft +new file mode 100644 +index 00000000..1455877d +--- /dev/null ++++ b/tests/shell/testcases/maps/dumps/0013map_0.nft +@@ -0,0 +1,13 @@ ++table ip filter { ++ map forwport { ++ type ipv4_addr . inet_proto . inet_service : verdict ++ flags interval ++ counter ++ elements = { 10.133.89.138 . tcp . 8081 counter packets 0 bytes 0 : accept } ++ } ++ ++ chain FORWARD { ++ type filter hook forward priority filter; policy drop; ++ iifname "enp0s8" ip daddr . ip protocol . th dport vmap @forwport counter packets 0 bytes 0 ++ } ++} +-- +2.33.0 + diff --git a/backport-rule-fix-ASAN-errors-in-chain-priority-to-textual-names.patch b/backport-rule-fix-ASAN-errors-in-chain-priority-to-textual-names.patch new file mode 100644 index 0000000000000000000000000000000000000000..4b3af5dd82819283ee03c432854cd1af75f846fc --- /dev/null +++ b/backport-rule-fix-ASAN-errors-in-chain-priority-to-textual-names.patch @@ -0,0 +1,76 @@ +From ff6135270616ccf4712990246cae850e64253516 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 29 Feb 2024 16:50:37 +0100 +Subject: rule: fix ASAN errors in chain priority to textual names + +ASAN reports several errors when listing this ruleset: + + table ip x { + chain y { + type filter hook input priority -2147483648; policy accept; + } + } + +src/rule.c:1002:8: runtime error: negation of -2147483648 cannot be represented in type 'int'; cast to an unsigned type to negate this value to itself +src/rule.c:1001:11: runtime error: signed integer overflow: -2147483648 - 50 cannot be represented in type 'int' + +Use int64_t for the offset to avoid an underflow when calculating +closest existing priority definition. + +Use llabs() because abs() is undefined with INT32_MIN. + +Fixes: c8a0e8c90e2d ("src: Set/print standard chain prios with textual names") +Signed-off-by: Pablo Neira Ayuso + +Conflict: NA +Reference:https://git.netfilter.org/nftables/commit/?id=ff6135270616ccf4712990246cae850e64253516 +--- + src/rule.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/src/rule.c b/src/rule.c +index 342c43fb..adab584e 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -977,10 +977,11 @@ static const char *prio2str(const struct output_ctx *octx, + const struct expr *expr) + { + const struct prio_tag *prio_arr; +- int std_prio, offset, prio; ++ const uint32_t reach = 10; + const char *std_prio_str; +- const int reach = 10; ++ int std_prio, prio; + size_t i, arr_size; ++ int64_t offset; + + mpz_export_data(&prio, expr->value, BYTEORDER_HOST_ENDIAN, sizeof(int)); + if (family == NFPROTO_BRIDGE) { +@@ -995,19 +996,21 @@ static const char *prio2str(const struct output_ctx *octx, + for (i = 0; i < arr_size; ++i) { + std_prio = prio_arr[i].val; + std_prio_str = prio_arr[i].str; +- if (abs(prio - std_prio) <= reach) { ++ ++ offset = (int64_t)prio - std_prio; ++ if (llabs(offset) <= reach) { + if (!std_prio_family_hook_compat(std_prio, + family, hook)) + break; +- offset = prio - std_prio; ++ + strncpy(buf, std_prio_str, bufsize); + if (offset > 0) + snprintf(buf + strlen(buf), +- bufsize - strlen(buf), " + %d", ++ bufsize - strlen(buf), " + %" PRIu64, + offset); + else if (offset < 0) + snprintf(buf + strlen(buf), +- bufsize - strlen(buf), " - %d", ++ bufsize - strlen(buf), " - %" PRIu64, + -offset); + return buf; + } +-- +cgit v1.2.3 diff --git a/backport-src-do-not-allow-to-chain-more-than-16-binops.patch b/backport-src-do-not-allow-to-chain-more-than-16-binops.patch new file mode 100644 index 0000000000000000000000000000000000000000..1ca1043183235f0896837aaf135d5837daf5d5a1 --- /dev/null +++ b/backport-src-do-not-allow-to-chain-more-than-16-binops.patch @@ -0,0 +1,172 @@ +From dcb199544563ded462cb7151134278f82a9e6cfd Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 21 Dec 2023 11:25:14 +0100 +Subject: src: do not allow to chain more than 16 binops + +netlink_linearize.c has never supported more than 16 chained binops. +Adding more is possible but overwrites the stack in +netlink_gen_bitwise(). + +Add a recursion counter to catch this at eval stage. + +Its not enough to just abort once the counter hits +NFT_MAX_EXPR_RECURSION. + +This is because there are valid test cases that exceed this. +For example, evaluation of 1 | 2 will merge the constans, so even +if there are a dozen recursive eval calls this will not end up +with large binop chain post-evaluation. + +v2: allow more than 16 binops iff the evaluation function + did constant-merging. + +Signed-off-by: Florian Westphal + +Conflict:change rule.h evaluate.c netlink_linearize.c +Reference:https://git.netfilter.org/nftables/commit/?id=dcb199544563ded462cb7151134278f82a9e6cfd +--- + include/expression.h | 1 + + include/rule.h | 2 + + src/evaluate.c | 39 ++++++++++++++++++- + src/netlink_linearize.c | 7 +++- + .../bogons/nft-f/huge_binop_expr_chain_crash | 5 +++ + 5 files changed, 50 insertions(+), 4 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash + +diff --git a/include/expression.h b/include/expression.h +index 778998f..c89f24e 100644 +--- a/include/expression.h ++++ b/include/expression.h +@@ -11,6 +11,7 @@ + + #define NFT_MAX_EXPR_LEN_BYTES (NFT_REG32_COUNT * sizeof(uint32_t)) + #define NFT_MAX_EXPR_LEN_BITS (NFT_MAX_EXPR_LEN_BYTES * BITS_PER_BYTE) ++#define NFT_MAX_EXPR_RECURSION 16 + + /** + * enum expr_types +diff --git a/include/rule.h b/include/rule.h +index be31695..4830691 100644 +--- a/include/rule.h ++++ b/include/rule.h +@@ -747,6 +747,7 @@ void cmd_add_loc(struct cmd *cmd, uint16_t offset, const struct location *loc); + * @rule: current rule + * @set: current set + * @stmt: current statement ++ * @recursion: expr evaluation recursion counter + * @cache: cache context + * @debug_mask: debugging bitmask + * @ectx: expression context +@@ -760,6 +761,7 @@ struct eval_ctx { + struct rule *rule; + struct set *set; + struct stmt *stmt; ++ uint32_t recursion; + struct expr_ctx ectx; + struct proto_ctx pctx; + }; +diff --git a/src/evaluate.c b/src/evaluate.c +index 6163ba6..1aa3d7e 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -1173,6 +1173,13 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr) + { + struct expr *op = *expr, *left, *right; + const char *sym = expr_op_symbols[op->op]; ++ int ret = -1; ++ ++ if (ctx->recursion >= USHRT_MAX) ++ return expr_binary_error(ctx->msgs, op, NULL, ++ "Binary operation limit %u reached ", ++ ctx->recursion); ++ ctx->recursion++; + + if (expr_evaluate(ctx, &op->left) < 0) + return -1; +@@ -1222,14 +1229,42 @@ static int expr_evaluate_binop(struct eval_ctx *ctx, struct expr **expr) + switch (op->op) { + case OP_LSHIFT: + case OP_RSHIFT: +- return expr_evaluate_shift(ctx, expr); ++ ret = expr_evaluate_shift(ctx, expr); ++ break; + case OP_AND: + case OP_XOR: + case OP_OR: +- return expr_evaluate_bitwise(ctx, expr); ++ ret = expr_evaluate_bitwise(ctx, expr); ++ break; + default: + BUG("invalid binary operation %u\n", op->op); + } ++ ++ ++ if (ctx->recursion == 0) ++ BUG("recursion counter underflow"); ++ ++ /* can't check earlier: evaluate functions might do constant-merging + expr_free. ++ * ++ * So once we've evaluate everything check for remaining length of the ++ * binop chain. ++ */ ++ if (--ctx->recursion == 0) { ++ unsigned int to_linearize = 0; ++ ++ op = *expr; ++ while (op && op->etype == EXPR_BINOP && op->left != NULL) { ++ to_linearize++; ++ op = op->left; ++ ++ if (to_linearize >= NFT_MAX_EXPR_RECURSION) ++ return expr_binary_error(ctx->msgs, op, NULL, ++ "Binary operation limit %u reached ", ++ NFT_MAX_EXPR_RECURSION); ++ } ++ } ++ ++ return ret; + } + + static int list_member_evaluate(struct eval_ctx *ctx, struct expr **expr) +diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c +index f271b11..1c43ccc 100644 +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -625,10 +625,10 @@ static void netlink_gen_bitwise(struct netlink_linearize_ctx *ctx, + const struct expr *expr, + enum nft_registers dreg) + { ++ struct expr *binops[NFT_MAX_EXPR_RECURSION]; + struct nftnl_expr *nle; + struct nft_data_linearize nld; + struct expr *left, *i; +- struct expr *binops[16]; + mpz_t mask, xor, val, tmp; + unsigned int len; + int n = 0; +@@ -640,8 +640,11 @@ static void netlink_gen_bitwise(struct netlink_linearize_ctx *ctx, + + binops[n++] = left = (struct expr *) expr; + while (left->etype == EXPR_BINOP && left->left != NULL && +- (left->op == OP_AND || left->op == OP_OR || left->op == OP_XOR)) ++ (left->op == OP_AND || left->op == OP_OR || left->op == OP_XOR)) { ++ if (n == array_size(binops)) ++ BUG("NFT_MAX_EXPR_RECURSION limit reached"); + binops[n++] = left = left->left; ++ } + n--; + + netlink_gen_expr(ctx, binops[n--], dreg); +diff --git a/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash +new file mode 100644 +index 0000000..8d1da72 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/huge_binop_expr_chain_crash +@@ -0,0 +1,5 @@ ++table t { ++ chain c { ++ meta oifname^a^b^c^d^e^f^g^h^i^j^k^l^m^n^o^p^q^r^s^t^u^v^w^x^y^z^A^B^C^D^E^F^G^H^I^J^K^L^M^N^O^P^Q^R^S^T^U^V^W^X^Y^Z^0^1^2^3^4^5^6^7^8^9 bar ++ } ++} +-- +cgit v1.2.3 diff --git a/backport-src-reject-large-raw-payload-and-concat-expressions.patch b/backport-src-reject-large-raw-payload-and-concat-expressions.patch new file mode 100644 index 0000000000000000000000000000000000000000..8cf06197e74cd3734a9b436df687e97c665115f8 --- /dev/null +++ b/backport-src-reject-large-raw-payload-and-concat-expressions.patch @@ -0,0 +1,79 @@ +From ef10d65db278d77208e960d210a1f4f532ebb552 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 12 Dec 2023 19:13:14 +0100 +Subject: [PATCH] src: reject large raw payload and concat expressions + +The kernel will reject this too, but unfortunately nft may try +to cram the data into the underlying libnftnl expr. + +This causes heap corruption or +BUG: nld buffer overflow: want to copy 132, max 64 + +After: + +Error: Concatenation of size 544 exceeds maximum size of 512 +udp length . @th,0,512 . @th,512,512 { 47-63 . 0xe373135363130 . 0x33131303735353203 } + ^^^^^^^^^ + +resp. same warning for an over-sized raw expression. + +Signed-off-by: Florian Westphal + +Conflict:delete evaluate.c change and delete new test stack_overflow_via_large_concat_expr and change parser_bison.y context +Reference:https://git.netfilter.org/nftables/commit/?id=ef10d65db278d77208e960d210a1f4f532ebb552 +--- + include/expression.h | 3 +++ + src/evaluate.c | 8 ++++++++ + src/parser_bison.y | 7 +++++++ + .../bogons/nft-f/stack_overflow_via_large_concat_expr | 5 +++++ + .../bogons/nft-f/stack_overflow_via_large_raw_expr | 5 +++++ + 5 files changed, 28 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_concat_expr + create mode 100644 tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr + +diff --git a/include/expression.h b/include/expression.h +index aede223d..809089c8 100644 +--- a/include/expression.h ++++ b/include/expression.h +@@ -11,6 +11,9 @@ + #include + #include + ++#define NFT_MAX_EXPR_LEN_BYTES (NFT_REG32_COUNT * sizeof(uint32_t)) ++#define NFT_MAX_EXPR_LEN_BITS (NFT_MAX_EXPR_LEN_BYTES * BITS_PER_BYTE) ++ + /** + * enum expr_types + * +diff --git a/src/parser_bison.y b/src/parser_bison.y +index 571eddf1..7082d2ba 100644 +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -5627,6 +5627,13 @@ payload_expr : payload_raw_expr + + payload_raw_expr : AT payload_base_spec COMMA NUM COMMA NUM + { ++ if ($6 > NFT_MAX_EXPR_LEN_BITS) { ++ erec_queue(error(&@1, "raw payload length %u exceeds upper limit of %u", ++ $6, NFT_MAX_EXPR_LEN_BITS), ++ state->msgs); ++ YYERROR; ++ } ++ + $$ = payload_expr_alloc(&@$, NULL, 0); + payload_init_raw($$, $2, $4, $6); + $$->byteorder = BYTEORDER_BIG_ENDIAN; +diff --git a/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr +new file mode 100644 +index 00000000..66bd6bf8 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/stack_overflow_via_large_raw_expr +@@ -0,0 +1,5 @@ ++table t { ++ chain c { ++ @th,160,1272 gt 0 ++ } ++} +-- +2.33.0 + diff --git a/backport-tcpopt-don-t-create-exthdr-expression-without-datatype.patch b/backport-tcpopt-don-t-create-exthdr-expression-without-datatype.patch new file mode 100644 index 0000000000000000000000000000000000000000..4dcc107b25bac05d5199e78647e62c0638988690 --- /dev/null +++ b/backport-tcpopt-don-t-create-exthdr-expression-without-datatype.patch @@ -0,0 +1,47 @@ +From c9f934ca446de5041ce6f19e4ee6a0c74b120186 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 15 Dec 2023 13:04:22 +0100 +Subject: [PATCH] tcpopt: don't create exthdr expression without datatype + +The reproducer crashes during concat evaluation, as the +exthdr expression lacks a datatype. + +This should never happen, i->dtype must be set. + +In this case the culprit is tcp option parsing, it will +wire up a non-existent template, because the "nop" option +has no length field (1 byte only). + +Signed-off-by: Florian Westphal + +Conflict: NA +Reference:https://git.netfilter.org/nftables/commit/?id=c9f934ca446de5041ce6f19e4ee6a0c74b120186 +--- + src/tcpopt.c | 2 +- + tests/shell/testcases/bogons/nft-f/tcp_option_without_template | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/tcp_option_without_template + +diff --git a/src/tcpopt.c b/src/tcpopt.c +index 8111a507..f977e417 100644 +--- a/src/tcpopt.c ++++ b/src/tcpopt.c +@@ -224,7 +224,7 @@ struct expr *tcpopt_expr_alloc(const struct location *loc, + } + + tmpl = &desc->templates[field]; +- if (!tmpl) ++ if (!tmpl || !tmpl->dtype) + return NULL; + + expr = expr_alloc(loc, EXPR_EXTHDR, tmpl->dtype, +diff --git a/tests/shell/testcases/bogons/nft-f/tcp_option_without_template b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template +new file mode 100644 +index 00000000..fd732fd3 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/tcp_option_without_template +@@ -0,0 +1 @@ ++add rule f i tcp option nop length . @ih,32,3 1 +-- +2.33.0 + diff --git a/backport-tests-shell-add-regression-test-for-double-free-crash-bug.patch b/backport-tests-shell-add-regression-test-for-double-free-crash-bug.patch new file mode 100644 index 0000000000000000000000000000000000000000..4771f07c6b7b1e619e51a3fec7b0ff6f5b065f9c --- /dev/null +++ b/backport-tests-shell-add-regression-test-for-double-free-crash-bug.patch @@ -0,0 +1,135 @@ +From b237aeff41840f0c7968d02ed3d461fa9fa8fb70 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 8 Mar 2024 20:57:26 +0100 +Subject: [PATCH] tests: shell: add regression test for double-free crash bug + +BUG: KASAN: slab-use-after-free in nf_tables_set_elem_destroy+0x55/0x160 +Call Trace: + nf_tables_set_elem_destroy+0x55/0x160 + nf_tables_set_elem_destroy+0x55/0x160 + nft_pipapo_destroy+0x3b4/0x5a0 + nft_set_destroy+0x118/0x3a0 + nf_tables_trans_destroy_work+0x4f2/0xa80 + +This is a test case for the bug fiex with kernel commit +b0e256f3dd2b ("netfilter: nft_set_pipapo: release elements in clone only from destroy path"). + +Reported-by: lonial con +Signed-off-by: Florian Westphal + +Conflict: change concat_range_abort +Reference:https://git.netfilter.org/nftables/commit/?id=b237aeff41840f0c7968d02ed3d461fa9fa8fb70 + +--- + .../testcases/transactions/concat_range_abort | 28 +++++++++++ + .../dumps/concat_range_abort.json-nft | 47 +++++++++++++++++++ + .../transactions/dumps/concat_range_abort.nft | 8 ++++ + 3 files changed, 83 insertions(+) + create mode 100755 tests/shell/testcases/transactions/concat_range_abort + create mode 100644 tests/shell/testcases/transactions/dumps/concat_range_abort.json-nft + create mode 100644 tests/shell/testcases/transactions/dumps/concat_range_abort.nft + +diff --git a/tests/shell/testcases/transactions/concat_range_abort b/tests/shell/testcases/transactions/concat_range_abort +new file mode 100755 +index 00000000..b2bbe37b +--- /dev/null ++++ b/tests/shell/testcases/transactions/concat_range_abort +@@ -0,0 +1,28 @@ ++#!/bin/bash ++ ++# NFT_TEST_REQUIRES(NFT_TEST_HAVE_pipapo) ++ ++set -e ++ ++$NFT -f /dev/stdin < %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Wed Sep 25 2024 gaihuiying - 1:1.0.0-12 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + evaluate: disable meta set with ranges + src: reject large raw payload and concat expressions + evaluate: fix stack overflow with huge priority string + tcpopt: don't create exthdr expression without datatype + src: do not allow to chain more than 16 binops + rule: fix ASAN errors in chain priority to textual names + tests: shell: add regression test for double-free crash bug + evaluate: handle invalid mapping expressions in stateful object + evaluate: Fix incorrect checking the `base` variable in case of IPV6 + netlink: reset temporary set element stmt list after list splice + * Wed Jun 26 2024 gaihuiying - 1:1.0.0-11 - Type:bugfix - CVE:NA