Patch "netfilter: ipset: regression in ip_set_hash_ip.c" has been added to the 6.0-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 27 Nov 2022 14:10:35 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: ipset: regression in ip_set_hash_ip.c

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-ipset-regression-in-ip_set_hash_ip.c.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 063d887e6805f11fc8ec4968d76a2e79088e062d
Author: Vishwanath Pai <vpai@xxxxxxxxxx>
Date:   Wed Sep 28 14:26:50 2022 -0400

    netfilter: ipset: regression in ip_set_hash_ip.c
    
    [ Upstream commit c7aa1a76d4a0a3c401025b60c401412bbb60f8c6 ]
    
    This patch introduced a regression: commit 48596a8ddc46 ("netfilter:
    ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
    
    The variable e.ip is passed to adtfn() function which finally adds the
    ip address to the set. The patch above refactored the for loop and moved
    e.ip = htonl(ip) to the end of the for loop.
    
    What this means is that if the value of "ip" changes between the first
    assignement of e.ip and the forloop, then e.ip is pointing to a
    different ip address than "ip".
    
    Test case:
    $ ipset create jdtest_tmp hash:ip family inet hashsize 2048 maxelem 100000
    $ ipset add jdtest_tmp 10.0.1.1/31
    ipset v6.21.1: Element cannot be added to the set: it's already added
    
    The value of ip gets updated inside the  "else if (tb[IPSET_ATTR_CIDR])"
    block but e.ip is still pointing to the old value.
    
    Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
    Reviewed-by: Joshua Hunt <johunt@xxxxxxxxxx>
    Signed-off-by: Vishwanath Pai <vpai@xxxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index dd30c03d5a23..75d556d71652 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -151,18 +151,16 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
 	if (((u64)ip_to - ip + 1) >> (32 - h->netmask) > IPSET_MAX_RANGE)
 		return -ERANGE;
 
-	if (retried) {
+	if (retried)
 		ip = ntohl(h->next.ip);
-		e.ip = htonl(ip);
-	}
 	for (; ip <= ip_to;) {
+		e.ip = htonl(ip);
 		ret = adtfn(set, &e, &ext, &ext, flags);
 		if (ret && !ip_set_eexist(ret, flags))
 			return ret;
 
 		ip += hosts;
-		e.ip = htonl(ip);
-		if (e.ip == 0)
+		if (ip == 0)
 			return 0;
 
 		ret = 0;






