From patchwork Fri Mar 15 20:34:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1912701 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TxGGV0QwWz23qp for ; Sat, 16 Mar 2024 07:35:30 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rlEGs-0006b6-QT; Fri, 15 Mar 2024 20:35:18 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rlEGa-0006WQ-9q for kernel-team@lists.ubuntu.com; Fri, 15 Mar 2024 20:35:00 +0000 Received: from mail-il1-f198.google.com (mail-il1-f198.google.com [209.85.166.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id B037E3F2E2 for ; Fri, 15 Mar 2024 20:34:59 +0000 (UTC) Received: by mail-il1-f198.google.com with SMTP id e9e14a558f8ab-3655fa1722bso25674125ab.1 for ; Fri, 15 Mar 2024 13:34:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710534898; x=1711139698; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=t8ax9I0mwvn2t/h8NGdZG8pUhRcviBeYBqgoIOhR9EE=; b=Kt9s02zfJd6ULx6S9ccy+QByl/kgqelWM2jTYzYhSIFsXKGjjpVGlOcs68cBclvhmh kTt9sV3q0U9uPIQiepAzStg0Q5A1bqkpwF+0cpBegCqLNWrMKTZ/IcM8Cw0EEYztgNLo Qhfc+KzP2Zv88oCc6geQ6dF1F/h+NI7aAojsh4Fh+SRSDblT5anyRtxJ3yebTB92iQ8M FfQDX2/l3M1w83Cj/k3hq6Wp1uPWuqRY5pZiVnmicXWRmTSXAlUXH5LN8zHQg6/G4R5Y 3e4/QjE0YE9845HAPx4PK6rwkzpO6tQ7LHhHnvWmepQbgL6VA+WXzFIZa3GfKdu7LrWi jnpw== X-Gm-Message-State: AOJu0Yxohic1mG6HFmepmKf+xDy7NFVLzBFp2oPBx7YKH0A3FEW4HvVU WzLufKe9yd1PDczR7MN15DbXaaBmGofW3+jfeUHvoL/k4SR7JHC+wDl/DS80VddXR2xuIgHgaSX +Q3UYzgDZioR0yEG1/dXSQXgcdIO+tiuR8Ienna/nJJQopcv5rXT8qx3/cngRpl2f/KQBc/LEQa 9ZLQ4hsnXfsQ== X-Received: by 2002:a05:6e02:2166:b0:366:4cc4:29e8 with SMTP id s6-20020a056e02216600b003664cc429e8mr6133409ilv.11.1710534897990; Fri, 15 Mar 2024 13:34:57 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFh6Lda0SnGh8R6oAnj5UT3ED30niVXVXerO13mhA9OFcXrNpo070a1N3AOM+qwGKpqA+l3NQ== X-Received: by 2002:a05:6e02:2166:b0:366:4cc4:29e8 with SMTP id s6-20020a056e02216600b003664cc429e8mr6133401ilv.11.1710534897625; Fri, 15 Mar 2024 13:34:57 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id w14-20020a056638138e00b00474d1b1590dsm935801jad.133.2024.03.15.13.34.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 15 Mar 2024 13:34:57 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][F][PATCH 2/2] netfilter: nft_set_rbtree: skip end interval element from gc Date: Fri, 15 Mar 2024 15:34:54 -0500 Message-Id: <20240315203454.47348-4-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240315203454.47348-1-bethany.jamison@canonical.com> References: <20240315203454.47348-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso rbtree lazy gc on insert might collect an end interval element that has been just added in this transactions, skip end interval elements that are not yet active. Fixes: f718863aca46 ("netfilter: nft_set_rbtree: fix overlap expiration walk") Cc: stable@vger.kernel.org Reported-by: lonial con Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 60c0c230c6f046da536d3df8b39a20b9a9fd6af0) CVE-2024-26581 Signed-off-by: Bethany Jamison --- net/netfilter/nft_set_rbtree.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index eed0e4cc01ef1..f444732870794 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -237,7 +237,7 @@ static void nft_rbtree_gc_remove(struct net *net, struct nft_set *set, static const struct nft_rbtree_elem * nft_rbtree_gc_elem(const struct nft_set *__set, struct nft_rbtree *priv, - struct nft_rbtree_elem *rbe, u8 genmask) + struct nft_rbtree_elem *rbe) { struct nft_set *set = (struct nft_set *)__set; struct rb_node *prev = rb_prev(&rbe->node); @@ -256,7 +256,7 @@ nft_rbtree_gc_elem(const struct nft_set *__set, struct nft_rbtree *priv, while (prev) { rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node); if (nft_rbtree_interval_end(rbe_prev) && - nft_set_elem_active(&rbe_prev->ext, genmask)) + nft_set_elem_active(&rbe_prev->ext, NFT_GENMASK_ANY)) break; prev = rb_prev(prev); @@ -367,7 +367,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, nft_set_elem_active(&rbe->ext, cur_genmask)) { const struct nft_rbtree_elem *removed_end; - removed_end = nft_rbtree_gc_elem(set, priv, rbe, genmask); + removed_end = nft_rbtree_gc_elem(set, priv, rbe); if (IS_ERR(removed_end)) return PTR_ERR(removed_end);