Keep a per-rule bitmask that tracks registers that have seen a store,
then reject loads when the accessed registers haven't been flagged.
This changes uabi contract, because we previously allowed this.
Neither nftables nor iptables-nft create such rules.
In case there is breakage, we could insert an 'store 0 to x'
immediate expression into the ruleset automatically, but this
isn't done here.
Let me know if you think the "refuse" approach is too risky.
Florian Westphal (3):
netfilter: nf_tables: pass context structure to
nft_parse_register_load
netfilter: nf_tables: validate register loads never access unitialised
registers
netfilter: nf_tables: don't initialize registers in nft_do_chain()
include/net/netfilter/nf_tables.h | 4 ++-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/ipv4/netfilter/nft_dup_ipv4.c | 4 +--
net/ipv6/netfilter/nft_dup_ipv6.c | 4 +--
net/netfilter/nf_tables_api.c | 40 +++++++++++++++++++++++---
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nft_bitwise.c | 4 +--
net/netfilter/nft_byteorder.c | 2 +-
net/netfilter/nft_cmp.c | 6 ++--
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_dup_netdev.c | 2 +-
net/netfilter/nft_dynset.c | 4 +--
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fwd_netdev.c | 6 ++--
net/netfilter/nft_hash.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 4 +--
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_nat.c | 8 +++---
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_payload.c | 2 +-
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_redir.c | 4 +--
net/netfilter/nft_tproxy.c | 4 +--
25 files changed, 76 insertions(+), 42 deletions(-)
--
2.39.2
