Re: Testing stable backports for netfilter

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 11/06/24 03:29, Pablo Neira Ayuso wrote:
On Mon, Jun 10, 2024 at 11:51:53PM +0530, Harshit Mogalapalli wrote:
Hello netfilter developers,

Do we have any tests that we could run before sending a stable backport in
netfilter/ subsystem to stable@vger ?

Let us say we have a CVE fix which is only backported till 5.10.y but it is
needed is 5.4.y and 4.19.y, the backport might need to easy to make, just
fixing some conflicts due to contextual changes or missing commits.

Which one in particular is missing?

I was planning to backport the fix for CVE-2023-52628 onto 5.4.y and 4.19.y trees.

lts-5.10 : v5.10.198 - a7d86a77c33b netfilter: nftables: exthdr: fix 4-byte stack OOB write lts-5.15 : v5.15.132 - 1ad7b189cc14 netfilter: nftables: exthdr: fix 4-byte stack OOB write lts-6.1 : v6.1.54 - d9ebfc0f2137 netfilter: nftables: exthdr: fix 4-byte stack OOB write mainline : v6.6-rc1 - fd94d9dadee5 netfilter: nftables: exthdr: fix 4-byte stack OOB write



One question that comes in my mind is did I test that particular code, often
testing that particular code is tough unless the reproducer is public. So I
thought it would be good to learn about any netfilter test suite(set of
tests) to run before sending a backport to stable kernel which might ensure
we don't introduce regressions.

There is tests/shell under the nftables userspace tree, it also
detected the features that are available in your kernel.


Thanks a lot for sharing. Will try running these before sending any netfilter backports to stable.

Regards,
Harshit





[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux