[arch-commits] Commit in linux-lts/trunk (3 files)

Andreas Radke via arch-commits Sat, 09 Jul 2022 07:54:48 -0700

    Date: Saturday, July 9, 2022 @ 14:54:33
  Author: andyrtr
Revision: 450562


upgpkg: linux-lts 5.15.53-2: fix FS#75226 - CVE-2022-34918

Added:
  
linux-lts/trunk/0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
  
linux-lts/trunk/0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
Modified:
  linux-lts/trunk/PKGBUILD

------------------------------------------------------------------------------+
 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff            | 
  44 +++
 0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff | 
 123 ++++++++++
 PKGBUILD                                                                     | 
  12 
 3 files changed, 177 insertions(+), 2 deletions(-)

Added: 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
===================================================================
--- 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff           
                (rev 0)
+++ 0100-netfilter-nf_tables-stricter-validation-of-element-data.diff   
2022-07-09 14:54:33 UTC (rev 450562)
@@ -0,0 +1,44 @@
+From 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 2 Jul 2022 04:16:30 +0200
+Subject: netfilter: nf_tables: stricter validation of element data
+
+From: Pablo Neira Ayuso <[email protected]>
+
+commit 7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6 upstream.
+
+Make sure element data type and length do not mismatch the one specified
+by the set declaration.
+
+Fixes: 7d7402642eaf ("netfilter: nf_tables: variable sized set element keys / 
data")
+Reported-by: Hugues ANGUELKOV <[email protected]>
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/netfilter/nf_tables_api.c |    9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5118,13 +5118,20 @@ static int nft_setelem_parse_data(struct
+                                 struct nft_data *data,
+                                 struct nlattr *attr)
+ {
++      u32 dtype;
+       int err;
+ 
+       err = nft_data_init(ctx, data, NFT_DATA_VALUE_MAXLEN, desc, attr);
+       if (err < 0)
+               return err;
+ 
+-      if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
++      if (set->dtype == NFT_DATA_VERDICT)
++              dtype = NFT_DATA_VERDICT;
++      else
++              dtype = NFT_DATA_VALUE;
++
++      if (dtype != desc->type ||
++          set->dlen != desc->len) {
+               nft_data_release(data, desc->type);
+               return -EINVAL;
+       }

Added: 
0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
===================================================================
--- 
0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff    
                            (rev 0)
+++ 
0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff    
    2022-07-09 14:54:33 UTC (rev 450562)
@@ -0,0 +1,123 @@
+From 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 2 Jul 2022 04:16:31 +0200
+Subject: netfilter: nft_set_pipapo: release elements in clone from abort path
+
+From: Pablo Neira Ayuso <[email protected]>
+
+commit 9827a0e6e23bf43003cd3d5b7fb11baf59a35e1e upstream.
+
+New elements that reside in the clone are not released in case that the
+transaction is aborted.
+
+[16302.231754] ------------[ cut here ]------------
+[16302.231756] WARNING: CPU: 0 PID: 100509 at 
net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 
[nf_tables]
+[...]
+[16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G        W         
5.19.0-rc3+ #155
+[...]
+[16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]
+[16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 
c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 <0f> 0b 5b 
5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05
+[...]
+[16302.231917] Call Trace:
+[16302.231919]  <TASK>
+[16302.231921]  __nf_tables_abort.cold+0x23/0x28 [nf_tables]
+[16302.231934]  nf_tables_abort+0x30/0x50 [nf_tables]
+[16302.231946]  nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]
+[16302.231952]  ? __nla_validate_parse+0x48/0x190
+[16302.231959]  nfnetlink_rcv+0x110/0x129 [nfnetlink]
+[16302.231963]  netlink_unicast+0x211/0x340
+[16302.231969]  netlink_sendmsg+0x21e/0x460
+
+Add nft_set_pipapo_match_destroy() helper function to release the
+elements in the lookup tables.
+
+Stefano Brivio says: "We additionally look for elements pointers in the
+cloned matching data if priv->dirty is set, because that means that
+cloned data might point to additional elements we did not commit to the
+working copy yet (such as the abort path case, but perhaps not limited
+to it)."
+
+Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of 
ranges")
+Reviewed-by: Stefano Brivio <[email protected]>
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+Signed-off-by: Greg Kroah-Hartman <[email protected]>
+---
+ net/netfilter/nft_set_pipapo.c |   48 
++++++++++++++++++++++++++++-------------
+ 1 file changed, 33 insertions(+), 15 deletions(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -2125,6 +2125,32 @@ out_scratch:
+ }
+ 
+ /**
++ * nft_set_pipapo_match_destroy() - Destroy elements from key mapping array
++ * @set:      nftables API set representation
++ * @m:                matching data pointing to key mapping array
++ */
++static void nft_set_pipapo_match_destroy(const struct nft_set *set,
++                                       struct nft_pipapo_match *m)
++{
++      struct nft_pipapo_field *f;
++      int i, r;
++
++      for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
++              ;
++
++      for (r = 0; r < f->rules; r++) {
++              struct nft_pipapo_elem *e;
++
++              if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)
++                      continue;
++
++              e = f->mt[r].e;
++
++              nft_set_elem_destroy(set, e, true);
++      }
++}
++
++/**
+  * nft_pipapo_destroy() - Free private data for set and all committed elements
+  * @set:      nftables API set representation
+  */
+@@ -2132,26 +2158,13 @@ static void nft_pipapo_destroy(const str
+ {
+       struct nft_pipapo *priv = nft_set_priv(set);
+       struct nft_pipapo_match *m;
+-      struct nft_pipapo_field *f;
+-      int i, r, cpu;
++      int cpu;
+ 
+       m = rcu_dereference_protected(priv->match, true);
+       if (m) {
+               rcu_barrier();
+ 
+-              for (i = 0, f = m->f; i < m->field_count - 1; i++, f++)
+-                      ;
+-
+-              for (r = 0; r < f->rules; r++) {
+-                      struct nft_pipapo_elem *e;
+-
+-                      if (r < f->rules - 1 && f->mt[r + 1].e == f->mt[r].e)
+-                              continue;
+-
+-                      e = f->mt[r].e;
+-
+-                      nft_set_elem_destroy(set, e, true);
+-              }
++              nft_set_pipapo_match_destroy(set, m);
+ 
+ #ifdef NFT_PIPAPO_ALIGN
+               free_percpu(m->scratch_aligned);
+@@ -2165,6 +2178,11 @@ static void nft_pipapo_destroy(const str
+       }
+ 
+       if (priv->clone) {
++              m = priv->clone;
++
++              if (priv->dirty)
++                      nft_set_pipapo_match_destroy(set, m);
++
+ #ifdef NFT_PIPAPO_ALIGN
+               free_percpu(priv->clone->scratch_aligned);
+ #endif

Modified: PKGBUILD
===================================================================
--- PKGBUILD    2022-07-09 11:56:10 UTC (rev 450561)
+++ PKGBUILD    2022-07-09 14:54:33 UTC (rev 450562)
@@ -2,7 +2,7 @@
 
 pkgbase=linux-lts
 pkgver=5.15.53
-pkgrel=1
+pkgrel=2
 pkgdesc='LTS Linux'
 url="https://www.kernel.org/";
 arch=(x86_64)
@@ -22,6 +22,8 @@
   0004-Bluetooth_btintel_Fix_bdaddress_comparison_with_garbage_value.patch
   0005-lg-laptop_Recognize_more_models.patch
   0006_fix_NFSv4_mount_regression.diff
+  0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
+  0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
@@ -36,7 +38,9 @@
             '7c7707c738983f3683d76295b496f578996b7341fa39ad334ec2833bfe4b966e'
             '3fa8a4af66d5a3b99b48ca979a247c61e81c9b2d3bcdffa9d3895a5532a420b4'
             '79266c6cc970733fd35881d9a8f0a74c25c00b4d81741b8d4bba6827c48f7c78'
-            'e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f')
+            'e9527ad81d5b1821a7b17c56cb3abaec85785563f51e448cb3c06f1c68e2966f'
+            'b2e03d795a67843b9898367eaf3f2b855487d7e7cbe87b43a0df22b2fb36477c'
+            '08cae506648665a0a2990a690d951dd4432b6eea4ca295dbfc0a836ee63671ea')
 
 export KBUILD_BUILD_HOST=archlinux
 export KBUILD_BUILD_USER=$pkgbase
@@ -49,6 +53,10 @@
   # 
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/patch/?id=6f2836341d8a39e1e000572b10959347d7e61fd9
   patch -Rp1 -i ../0006_fix_NFSv4_mount_regression.diff
 
+  # FS#75226 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34918
+  patch -Np1 -i 
../0100-netfilter-nf_tables-stricter-validation-of-element-data.diff
+  patch -Np1 -i 
../0101-netfilter-nft_set_pipapo-release-elements-in-clone-from-abort-path.diff
+
   echo "Setting version..."
   scripts/setlocalversion --save-scmversion
   echo "-$pkgrel" > localversion.10-pkgrel

[arch-commits] Commit in linux-lts/trunk (3 files)

Reply via email to