[gentoo-commits] proj/linux-patches:5.0 commit in: / - gentoo-commits

From:	Mike Pagano <mpagano@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/linux-patches:5.0 commit in: /
Date:	Wed, 03 Apr 2019 11:09:38
Message-Id:	`1554289726.eb3023590694db5d00b2c90aef55a1aa33682713.mpagano@gentoo`

1

commit:     eb3023590694db5d00b2c90aef55a1aa33682713

2

Author:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

3

AuthorDate: Wed Apr  3 11:08:46 2019 +0000

4

Commit:     Mike Pagano <mpagano <AT> gentoo <DOT> org>

5

CommitDate: Wed Apr  3 11:08:46 2019 +0000

6

URL:        https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=eb302359

7

8

Removal of redundant netfilter patch

9

10

Removal:

11

2900_netfilter-patch-nf_tables-fix-set-

12

double-free-in-abort-path.patch

13

14

Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>

15

16

 0000_README                                        |   4 -

17

 ..._tables-fix-set-double-free-in-abort-path.patch | 127 ---------------------

18

 2 files changed, 131 deletions(-)

19

20

diff --git a/0000_README b/0000_README

21

index 8c66a94..d25ad88 100644

22

--- a/0000_README

23

+++ b/0000_README

24

@@ -83,10 +83,6 @@ Patch:  2600_enable-key-swapping-for-apple-mac.patch

25

 From:   https://github.com/free5lot/hid-apple-patched

26

 Desc:   This hid-apple patch enables swapping of the FN and left Control keys and some additional on some apple keyboards. See bug #622902

27

28

-Patch:  2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch

29

-From:   https://www.spinics.net/lists/netfilter-devel/msg58466.html

30

-Desc:   netfilter: nf_tables: fix set double-free in abort path

31

-

32

 Patch:  4567_distro-Gentoo-Kconfig.patch

33

 From:   Tom Wijsman <TomWij@g.o>

34

 Desc:   Add Gentoo Linux support config settings and defaults.

35

36

diff --git a/2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch b/2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch

37

deleted file mode 100644

38

index 3cc4aef..0000000

39

--- a/2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch

40

+++ /dev/null

41

@@ -1,127 +0,0 @@

42

-commit 40ba1d9b4d19796afc9b7ece872f5f3e8f5e2c13 upstream.

43

-

44

-The abort path can cause a double-free of an anonymous set.

45

-Added-and-to-be-aborted rule looks like this:

46

-

47

-udp dport { 137, 138 } drop

48

-

49

-The to-be-aborted transaction list looks like this:

50

-

51

-newset

52

-newsetelem

53

-newsetelem

54

-rule

55

-

56

-This gets walked in reverse order, so first pass disables the rule, the

57

-set elements, then the set.

58

-

59

-After synchronize_rcu(), we then destroy those in same order: rule, set

60

-element, set element, newset.

61

-

62

-Problem is that the anonymous set has already been bound to the rule, so

63

-the rule (lookup expression destructor) already frees the set, when then

64

-cause use-after-free when trying to delete the elements from this set,

65

-then try to free the set again when handling the newset expression.

66

-

67

-Rule releases the bound set in first place from the abort path, this

68

-causes the use-after-free on set element removal when undoing the new

69

-element transactions. To handle this, skip new element transaction if

70

-set is bound from the abort path.

71

-

72

-This is still causes the use-after-free on set element removal.  To

73

-handle this, remove transaction from the list when the set is already

74

-bound.

75

-

76

-Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")

77

-Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325

78

-Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org>

79

----

80

-Florian, I'm taking your original patch subject and part of the description,

81

-sending this as v2. Please ack if this looks good to you. Thanks.

82

-

83

- include/net/netfilter/nf_tables.h |  6 ++----

84

- net/netfilter/nf_tables_api.c     | 17 +++++++++++------

85

- 2 files changed, 13 insertions(+), 10 deletions(-)

86

-

87

-diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h

88

-index b4984bbbe157..3d58acf94dd2 100644

89

---- a/include/net/netfilter/nf_tables.h

90

-+++ b/include/net/netfilter/nf_tables.h

91

-@@ -416,7 +416,8 @@ struct nft_set {

92

- 	unsigned char			*udata;

93

- 	/* runtime data below here */

94

- 	const struct nft_set_ops	*ops ____cacheline_aligned;

95

--	u16				flags:14,

96

-+	u16				flags:13,

97

-+					bound:1,

98

- 					genmask:2;

99

- 	u8				klen;

100

- 	u8				dlen;

101

-@@ -1329,15 +1330,12 @@ struct nft_trans_rule {

102

- struct nft_trans_set {

103

- 	struct nft_set			*set;

104

- 	u32				set_id;

105

--	bool				bound;

106

- };

107

-

108

- #define nft_trans_set(trans)	\

109

- 	(((struct nft_trans_set *)trans->data)->set)

110

- #define nft_trans_set_id(trans)	\

111

- 	(((struct nft_trans_set *)trans->data)->set_id)

112

--#define nft_trans_set_bound(trans)	\

113

--	(((struct nft_trans_set *)trans->data)->bound)

114

-

115

- struct nft_trans_chain {

116

- 	bool				update;

117

-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c

118

-index 4893f248dfdc..e1724f9d8b9d 100644

119

---- a/net/netfilter/nf_tables_api.c

120

-+++ b/net/netfilter/nf_tables_api.c

121

-@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx *ctx, struct nft_set *set)

122

- 	list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {

123

- 		if (trans->msg_type == NFT_MSG_NEWSET &&

124

- 		    nft_trans_set(trans) == set) {

125

--			nft_trans_set_bound(trans) = true;

126

-+			set->bound = true;

127

- 			break;

128

- 		}

129

- 	}

130

-@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)

131

- 		nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));

132

- 		break;

133

- 	case NFT_MSG_NEWSET:

134

--		if (!nft_trans_set_bound(trans))

135

--			nft_set_destroy(nft_trans_set(trans));

136

-+		nft_set_destroy(nft_trans_set(trans));

137

- 		break;

138

- 	case NFT_MSG_NEWSETELEM:

139

- 		nft_set_elem_destroy(nft_trans_elem_set(trans),

140

-@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)

141

- 			break;

142

- 		case NFT_MSG_NEWSET:

143

- 			trans->ctx.table->use--;

144

--			if (!nft_trans_set_bound(trans))

145

--				list_del_rcu(&nft_trans_set(trans)->list);

146

-+			if (nft_trans_set(trans)->bound) {

147

-+				nft_trans_destroy(trans);

148

-+				break;

149

-+			}

150

-+			list_del_rcu(&nft_trans_set(trans)->list);

151

- 			break;

152

- 		case NFT_MSG_DELSET:

153

- 			trans->ctx.table->use++;

154

-@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)

155

- 			nft_trans_destroy(trans);

156

- 			break;

157

- 		case NFT_MSG_NEWSETELEM:

158

-+			if (nft_trans_elem_set(trans)->bound) {

159

-+				nft_trans_destroy(trans);

160

-+				break;

161

-+			}

162

- 			te = (struct nft_trans_elem *)trans->data;

163

--

164

- 			te->set->ops->remove(net, te->set, &te->elem);

165

- 			atomic_dec(&te->set->nelems);

166

- 			break;

167

---

168

-2.11.0

1	commit: eb3023590694db5d00b2c90aef55a1aa33682713
2	Author: Mike Pagano <mpagano <AT> gentoo <DOT> org>
3	AuthorDate: Wed Apr 3 11:08:46 2019 +0000
4	Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org>
5	CommitDate: Wed Apr 3 11:08:46 2019 +0000
6	URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=eb302359
7
8	Removal of redundant netfilter patch
9
10	Removal:
11	2900_netfilter-patch-nf_tables-fix-set-
12	double-free-in-abort-path.patch
13
14	Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org>
15
16	0000_README \| 4 -
17	..._tables-fix-set-double-free-in-abort-path.patch \| 127 ---------------------
18	2 files changed, 131 deletions(-)
19
20	diff --git a/0000_README b/0000_README
21	index 8c66a94..d25ad88 100644
22	--- a/0000_README
23	+++ b/0000_README
24	@@ -83,10 +83,6 @@ Patch: 2600_enable-key-swapping-for-apple-mac.patch
25	From: https://github.com/free5lot/hid-apple-patched
26	Desc: This hid-apple patch enables swapping of the FN and left Control keys and some additional on some apple keyboards. See bug #622902
27
28	-Patch: 2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch
29	-From: https://www.spinics.net/lists/netfilter-devel/msg58466.html
30	-Desc: netfilter: nf_tables: fix set double-free in abort path
31	-
32	Patch: 4567_distro-Gentoo-Kconfig.patch
33	From: Tom Wijsman <TomWij@g.o>
34	Desc: Add Gentoo Linux support config settings and defaults.
35
36	diff --git a/2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch b/2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch
37	deleted file mode 100644
38	index 3cc4aef..0000000
39	--- a/2900_netfilter-patch-nf_tables-fix-set-double-free-in-abort-path.patch
40	+++ /dev/null
41	@@ -1,127 +0,0 @@
42	-commit 40ba1d9b4d19796afc9b7ece872f5f3e8f5e2c13 upstream.
43	-
44	-The abort path can cause a double-free of an anonymous set.
45	-Added-and-to-be-aborted rule looks like this:
46	-
47	-udp dport { 137, 138 } drop
48	-
49	-The to-be-aborted transaction list looks like this:
50	-
51	-newset
52	-newsetelem
53	-newsetelem
54	-rule
55	-
56	-This gets walked in reverse order, so first pass disables the rule, the
57	-set elements, then the set.
58	-
59	-After synchronize_rcu(), we then destroy those in same order: rule, set
60	-element, set element, newset.
61	-
62	-Problem is that the anonymous set has already been bound to the rule, so
63	-the rule (lookup expression destructor) already frees the set, when then
64	-cause use-after-free when trying to delete the elements from this set,
65	-then try to free the set again when handling the newset expression.
66	-
67	-Rule releases the bound set in first place from the abort path, this
68	-causes the use-after-free on set element removal when undoing the new
69	-element transactions. To handle this, skip new element transaction if
70	-set is bound from the abort path.
71	-
72	-This is still causes the use-after-free on set element removal. To
73	-handle this, remove transaction from the list when the set is already
74	-bound.
75	-
76	-Fixes: f6ac85858976 ("netfilter: nf_tables: unbind set in rule from commit path")
77	-Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1325
78	-Signed-off-by: Pablo Neira Ayuso <pablo@×××××××××.org>
79	----
80	-Florian, I'm taking your original patch subject and part of the description,
81	-sending this as v2. Please ack if this looks good to you. Thanks.
82	-
83	- include/net/netfilter/nf_tables.h \| 6 ++----
84	- net/netfilter/nf_tables_api.c \| 17 +++++++++++------
85	- 2 files changed, 13 insertions(+), 10 deletions(-)
86	-
87	-diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
88	-index b4984bbbe157..3d58acf94dd2 100644
89	---- a/include/net/netfilter/nf_tables.h
90	-+++ b/include/net/netfilter/nf_tables.h
91	-@@ -416,7 +416,8 @@ struct nft_set {
92	- unsigned char *udata;
93	- /* runtime data below here */
94	- const struct nft_set_ops *ops ____cacheline_aligned;
95	-- u16 flags:14,
96	-+ u16 flags:13,
97	-+ bound:1,
98	- genmask:2;
99	- u8 klen;
100	- u8 dlen;
101	-@@ -1329,15 +1330,12 @@ struct nft_trans_rule {
102	- struct nft_trans_set {
103	- struct nft_set *set;
104	- u32 set_id;
105	-- bool bound;
106	- };
107	-
108	- #define nft_trans_set(trans) \
109	- (((struct nft_trans_set *)trans->data)->set)
110	- #define nft_trans_set_id(trans) \
111	- (((struct nft_trans_set *)trans->data)->set_id)
112	--#define nft_trans_set_bound(trans) \
113	-- (((struct nft_trans_set *)trans->data)->bound)
114	-
115	- struct nft_trans_chain {
116	- bool update;
117	-diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
118	-index 4893f248dfdc..e1724f9d8b9d 100644
119	---- a/net/netfilter/nf_tables_api.c
120	-+++ b/net/netfilter/nf_tables_api.c
121	-@@ -127,7 +127,7 @@ static void nft_set_trans_bind(const struct nft_ctx ctx, struct nft_set set)
122	- list_for_each_entry_reverse(trans, &net->nft.commit_list, list) {
123	- if (trans->msg_type == NFT_MSG_NEWSET &&
124	- nft_trans_set(trans) == set) {
125	-- nft_trans_set_bound(trans) = true;
126	-+ set->bound = true;
127	- break;
128	- }
129	- }
130	-@@ -6617,8 +6617,7 @@ static void nf_tables_abort_release(struct nft_trans *trans)
131	- nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
132	- break;
133	- case NFT_MSG_NEWSET:
134	-- if (!nft_trans_set_bound(trans))
135	-- nft_set_destroy(nft_trans_set(trans));
136	-+ nft_set_destroy(nft_trans_set(trans));
137	- break;
138	- case NFT_MSG_NEWSETELEM:
139	- nft_set_elem_destroy(nft_trans_elem_set(trans),
140	-@@ -6691,8 +6690,11 @@ static int __nf_tables_abort(struct net *net)
141	- break;
142	- case NFT_MSG_NEWSET:
143	- trans->ctx.table->use--;
144	-- if (!nft_trans_set_bound(trans))
145	-- list_del_rcu(&nft_trans_set(trans)->list);
146	-+ if (nft_trans_set(trans)->bound) {
147	-+ nft_trans_destroy(trans);
148	-+ break;
149	-+ }
150	-+ list_del_rcu(&nft_trans_set(trans)->list);
151	- break;
152	- case NFT_MSG_DELSET:
153	- trans->ctx.table->use++;
154	-@@ -6700,8 +6702,11 @@ static int __nf_tables_abort(struct net *net)
155	- nft_trans_destroy(trans);
156	- break;
157	- case NFT_MSG_NEWSETELEM:
158	-+ if (nft_trans_elem_set(trans)->bound) {
159	-+ nft_trans_destroy(trans);
160	-+ break;
161	-+ }
162	- te = (struct nft_trans_elem *)trans->data;
163	--
164	- te->set->ops->remove(net, te->set, &te->elem);
165	- atomic_dec(&te->set->nelems);
166	- break;
167	---
168	-2.11.0

Gentoo Archives: gentoo-commits