Patch "netfilter: nf_tables: fix destination register zeroing" has been added to the 5.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 06 Sep 2020 23:05:42 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: fix destination register zeroing

to the 5.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-fix-destination-register-zeroing.patch
and it can be found in the queue-5.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9fc46b2631524ed98a709359e3fd31762530b39c
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Thu Aug 20 21:05:50 2020 +0200

    netfilter: nf_tables: fix destination register zeroing
    
    [ Upstream commit 1e105e6afa6c3d32bfb52c00ffa393894a525c27 ]
    
    Following bug was reported via irc:
    nft list ruleset
       set knock_candidates_ipv4 {
          type ipv4_addr . inet_service
          size 65535
          elements = { 127.0.0.1 . 123,
                       127.0.0.1 . 123 }
          }
     ..
       udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 }
       udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport }
    
    It should not have been possible to add a duplicate set entry.
    
    After some debugging it turned out that the problem is the immediate
    value (123) in the second-to-last rule.
    
    Concatenations use 32bit registers, i.e. the elements are 8 bytes each,
    not 6 and it turns out the kernel inserted
    
    inet firewall @knock_candidates_ipv4
            element 0100007f ffff7b00  : 0 [end]
            element 0100007f 00007b00  : 0 [end]
    
    Note the non-zero upper bits of the first element.  It turns out that
    nft_immediate doesn't zero the destination register, but this is needed
    when the length isn't a multiple of 4.
    
    Furthermore, the zeroing in nft_payload is broken.  We can't use
    [len / 4] = 0 -- if len is a multiple of 4, index is off by one.
    
    Skip zeroing in this case and use a conditional instead of (len -1) / 4.
    
    Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 2d0275f13bbfd..bc2c73f549622 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -143,6 +143,8 @@ static inline u64 nft_reg_load64(u32 *sreg)
 static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
 				 unsigned int len)
 {
+	if (len % NFT_REG32_SIZE)
+		dst[len / NFT_REG32_SIZE] = 0;
 	memcpy(dst, src, len);
 }
 
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 0e3bfbc26e790..62dc728bf93c9 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -79,7 +79,9 @@ void nft_payload_eval(const struct nft_expr *expr,
 	u32 *dest = &regs->data[priv->dreg];
 	int offset;
 
-	dest[priv->len / NFT_REG32_SIZE] = 0;
+	if (priv->len % NFT_REG32_SIZE)
+		dest[priv->len / NFT_REG32_SIZE] = 0;
+
 	switch (priv->base) {
 	case NFT_PAYLOAD_LL_HEADER:
 		if (!skb_mac_header_was_set(skb))






