This is a note to let you know that I've just added the patch titled
netfilter: nf_tables: do not allow RULE_ID to refer to another chain
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable-owner@xxxxxxxxxxxxxxx Sat May 27 16:08:15 2023
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Sat, 27 May 2023 18:08:09 +0200
Subject: netfilter: nf_tables: do not allow RULE_ID to refer to another chain
To: netfilter-devel@xxxxxxxxxxxxxxx
Cc: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, sashal@xxxxxxxxxx
Message-ID: <20230527160811.67779-10-pablo@xxxxxxxxxxxxx>
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
[ 36d5b2913219ac853908b0f1c664345e04313856 ]
When doing lookups for rules on the same batch by using its ID, a rule from
a different chain can be used. If a rule is added to a chain but tries to
be positioned next to a rule from a different chain, it will be linked to
chain2, but the use counter on chain1 would be the one to be incremented.
When looking for rules by ID, use the chain that was used for the lookup by
name. The chain used in the context copied to the transaction needs to
match that same chain. That way, struct nft_rule does not need to get
enlarged with another member.
Fixes: 1a94e38d254b ("netfilter: nf_tables: add NFTA_RULE_ID attribute")
Fixes: 75dd48e2e420 ("netfilter: nf_tables: Support RULE_ID reference in new rule")
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@xxxxxxxxxxxxx>
Cc: <stable@xxxxxxxxxxxxxxx>
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2475,6 +2475,7 @@ err1:
}
static struct nft_rule *nft_rule_lookup_byid(const struct net *net,
+ const struct nft_chain *chain,
const struct nlattr *nla)
{
u32 id = ntohl(nla_get_be32(nla));
@@ -2484,6 +2485,7 @@ static struct nft_rule *nft_rule_lookup_
struct nft_rule *rule = nft_trans_rule(trans);
if (trans->msg_type == NFT_MSG_NEWRULE &&
+ trans->ctx.chain == chain &&
id == nft_trans_rule_id(trans))
return rule;
}
@@ -2530,7 +2532,7 @@ static int nf_tables_delrule(struct net
err = nft_delrule(&ctx, rule);
} else if (nla[NFTA_RULE_ID]) {
- rule = nft_rule_lookup_byid(net, nla[NFTA_RULE_ID]);
+ rule = nft_rule_lookup_byid(net, chain, nla[NFTA_RULE_ID]);
if (IS_ERR(rule))
return PTR_ERR(rule);
Patches currently in stable-queue which might be from stable-owner@xxxxxxxxxxxxxxx are
queue-4.14/netfilter-nftables-add-nft_parse_register_load-and-use-it.patch
queue-4.14/netfilter-nftables-add-nft_parse_register_store-and-use-it.patch
queue-4.14/netfilter-nf_tables-fix-register-ordering.patch
queue-4.14/netfilter-nftables-statify-nft_parse_register.patch
queue-4.14/netfilter-nf_tables-validate-registers-coming-from-userspace.patch
queue-4.14/netfilter-nft_dynset-do-not-reject-set-updates-with-nft_set_eval.patch
queue-4.14/netfilter-nf_tables-do-not-allow-set_id-to-refer-to-another-table.patch
queue-4.14/netfilter-nf_tables-stricter-validation-of-element-data.patch
queue-4.14/netfilter-nf_tables-add-nft_setelem_parse_key.patch
queue-4.14/netfilter-nf_tables-do-not-allow-rule_id-to-refer-to-another-chain.patch
queue-4.14/netfilter-nf_tables-allow-up-to-64-bytes-in-the-set-element-data-area.patch
