Reject rules where a load occurs from a register that has not seen a store
early in the same rule.
At the moment this is allowed, interpreter has to memset() the registers
to avoid leaking stack information to userspace.
Detect and reject this from transaction phase instead.
Florian Westphal (3):
netfilter: nf_tables: pass context structure to
nft_parse_register_load
netfilter: nf_tables: allow loads only when register is initialized
netfilter: nf_tables: don't initialize registers in nft_do_chain()
include/net/netfilter/nf_tables.h | 4 ++-
net/bridge/netfilter/nft_meta_bridge.c | 2 +-
net/ipv4/netfilter/nft_dup_ipv4.c | 4 +--
net/ipv6/netfilter/nft_dup_ipv6.c | 4 +--
net/netfilter/nf_tables_api.c | 41 ++++++++++++++++++++++----
net/netfilter/nf_tables_core.c | 2 +-
net/netfilter/nft_bitwise.c | 4 +--
net/netfilter/nft_byteorder.c | 2 +-
net/netfilter/nft_cmp.c | 6 ++--
net/netfilter/nft_ct.c | 2 +-
net/netfilter/nft_dup_netdev.c | 2 +-
net/netfilter/nft_dynset.c | 4 +--
net/netfilter/nft_exthdr.c | 2 +-
net/netfilter/nft_fwd_netdev.c | 6 ++--
net/netfilter/nft_hash.c | 2 +-
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_masq.c | 4 +--
net/netfilter/nft_meta.c | 2 +-
net/netfilter/nft_nat.c | 8 ++---
net/netfilter/nft_objref.c | 2 +-
net/netfilter/nft_payload.c | 2 +-
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_range.c | 2 +-
net/netfilter/nft_redir.c | 4 +--
net/netfilter/nft_tproxy.c | 4 +--
25 files changed, 76 insertions(+), 43 deletions(-)
