This is a note to let you know that I've just added the patch titled
netfilter: nf_tables: reject unbound chain set before commit phase
to the 5.10-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch
and it can be found in the queue-5.10 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From stable-owner@xxxxxxxxxxxxxxx Thu Jul 13 10:49:52 2023
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date: Thu, 13 Jul 2023 10:48:55 +0200
Subject: netfilter: nf_tables: reject unbound chain set before commit phase
To: netfilter-devel@xxxxxxxxxxxxxxx
Cc: gregkh@xxxxxxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, sashal@xxxxxxxxxx
Message-ID: <20230713084859.71541-8-pablo@xxxxxxxxxxxxx>
From: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
[ Upstream commit 62e1e94b246e685d89c3163aaef4b160e42ceb02 ]
Use binding list to track set transaction and to check for unbound
chains before entering the commit phase.
Bail out if chain binding remain unused before entering the commit
step.
Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
net/netfilter/nf_tables_api.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -360,6 +360,11 @@ static void nft_trans_commit_list_add_ta
if (nft_set_is_anonymous(nft_trans_set(trans)))
list_add_tail(&trans->binding_list, &nft_net->binding_list);
break;
+ case NFT_MSG_NEWCHAIN:
+ if (!nft_trans_chain_update(trans) &&
+ nft_chain_binding(nft_trans_chain(trans)))
+ list_add_tail(&trans->binding_list, &nft_net->binding_list);
+ break;
}
list_add_tail(&trans->list, &nft_net->commit_list);
@@ -8043,6 +8048,14 @@ static int nf_tables_commit(struct net *
return -EINVAL;
}
break;
+ case NFT_MSG_NEWCHAIN:
+ if (!nft_trans_chain_update(trans) &&
+ nft_chain_binding(nft_trans_chain(trans)) &&
+ !nft_trans_chain_bound(trans)) {
+ pr_warn_once("nftables ruleset with unbound chain\n");
+ return -EINVAL;
+ }
+ break;
}
}
Patches currently in stable-queue which might be from stable-owner@xxxxxxxxxxxxxxx are
queue-5.10/netfilter-nf_tables-fix-chain-binding-transaction-logic.patch
queue-5.10/netfilter-nf_tables-drop-map-element-references-from-preparation-phase.patch
queue-5.10/netfilter-nf_tables-fix-scheduling-while-atomic-splat.patch
queue-5.10/netfilter-nf_tables-reject-unbound-anonymous-set-before-commit-phase.patch
queue-5.10/netfilter-nf_tables-use-net_generic-infra-for-transaction-data.patch
queue-5.10/netfilter-nftables-rename-set-element-data-activation-deactivation-functions.patch
queue-5.10/netfilter-nf_tables-incorrect-error-path-handling-with-nft_msg_newrule.patch
queue-5.10/netfilter-nf_tables-reject-unbound-chain-set-before-commit-phase.patch
queue-5.10/netfilter-nf_tables-add-rescheduling-points-during-loop-detection-walks.patch
queue-5.10/netfilter-nf_tables-add-nft_trans_prepare_error-to-deal-with-bound-set-chain.patch
queue-5.10/netfilter-nf_tables-unbind-non-anonymous-set-if-rule-construction-fails.patch
