Patch "netfilter: nf_tables: fix spurious set element insertion failure" has been added to the 4.14-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 23 Jul 2023 21:50:00 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: fix spurious set element insertion failure

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-fix-spurious-set-element-inserti.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 81eca9b33b5298ee2ccaebe1b9bdad15a81bb4e2
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Thu Jul 20 00:29:58 2023 +0200

    netfilter: nf_tables: fix spurious set element insertion failure
    
    [ Upstream commit ddbd8be68941985f166f5107109a90ce13147c44 ]
    
    On some platforms there is a padding hole in the nft_verdict
    structure, between the verdict code and the chain pointer.
    
    On element insertion, if the new element clashes with an existing one and
    NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
    the data associated with duplicated element is the same as the existing
    one.  The data equality check uses memcmp.
    
    For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT
    padding area leads to spurious failure even if the verdict data is the
    same.
    
    This then makes the insertion fail with 'already exists' error, even
    though the new "key : data" matches an existing entry and userspace
    told the kernel that it doesn't want to receive an error indication.
    
    Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b016ae68d9db8..68a13ab584acf 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5852,6 +5852,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
 
 	if (!tb[NFTA_VERDICT_CODE])
 		return -EINVAL;
+
+	/* zero padding hole for memcmp */
+	memset(data, 0, sizeof(*data));
 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
 
 	switch (data->verdict.code) {






