From patchwork Fri Jun 28 16:07:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1954047 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4W9gMH4ljlz214c for ; Sat, 29 Jun 2024 02:07:54 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1sNE8X-0001nE-Ux; Fri, 28 Jun 2024 16:07:45 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1sNE8U-0001m7-MY for kernel-team@lists.ubuntu.com; Fri, 28 Jun 2024 16:07:42 +0000 Received: from mail-io1-f70.google.com (mail-io1-f70.google.com [209.85.166.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 0FF643F6BC for ; Fri, 28 Jun 2024 16:07:42 +0000 (UTC) Received: by mail-io1-f70.google.com with SMTP id ca18e2360f4ac-7eb1d659c76so78152839f.0 for ; Fri, 28 Jun 2024 09:07:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719590860; x=1720195660; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=AAGAqSsdu1oBI4fJHLvzrBYwjGjJlchN0V4fMcnlrJc=; b=SefEiIm32EeniwHxnM1wazUtFfRWGD9/EoM8gRRkdjqcM+UiVmQqCCJSYnAlz4WMzF rsr6sRLemTU/XELYcUAnXv4/DRF2DYMdJTw0zbCL9q6Dt7vvEue9/5iAzS0FTFMamEOZ pr+rfG0UyIBnzYyX2mMCPWJ4zOZSn3hiEyAJVc/ETBKNjJlKzJgmh3D3rOovB19SOsSJ SQ+bErbRFF7Lq4x5LIklOig7OzMOn9bGI0kXV0nXJ7zXPeBQ7B/LBDw4FU4vWRia/7vX 9llX7igWLctfC66W6fcYReMRUOxC8py8Nx3dBD/S7MLmR2XeZgRnVUeEa+NCJZ/DcplQ EiCg== X-Gm-Message-State: AOJu0Yz7z1C1aWhGLxwcIpCge49iq8iy0s/TWjiSK7VuldmajT/v4So8 spzKs7YUFPl3/adJCIKlxeOWe4ehAeGPCDWx3DZ/8lJ8vcRFOHV12xNTV4Hh97E84kSlDII4Wfx S/wY0WdDh9ukE/N+bIpoBsjwKLwBEizPOHg8Js365tNTjpxdlZJGnqxm47jIP7XpzdTT0Ukb10u FqewTon1DOhQ== X-Received: by 2002:a05:6602:210f:b0:7f3:d82b:290b with SMTP id ca18e2360f4ac-7f3d82b2ab8mr591877639f.0.1719590860735; Fri, 28 Jun 2024 09:07:40 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGRQL841OQxpKvVI7eJvOfNtFJmKY2Q9qyy1mzxj/3HPHoB4zJVypLXCS85H1Vpx7uDDvIOmA== X-Received: by 2002:a05:6602:210f:b0:7f3:d82b:290b with SMTP id ca18e2360f4ac-7f3d82b2ab8mr591874539f.0.1719590860332; Fri, 28 Jun 2024 09:07:40 -0700 (PDT) Received: from smtp.gmail.com (167-248-51-36.oa02.lnk04.ne.dynamic.allophone.net. [167.248.51.36]) by smtp.gmail.com with ESMTPSA id ca18e2360f4ac-7f61ce87f78sm56790839f.3.2024.06.28.09.07.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jun 2024 09:07:39 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][J][PATCH 2/2] netfilter: nft_set_pipapo: walk over current view on netlink dump Date: Fri, 28 Jun 2024 11:07:37 -0500 Message-Id: <20240628160737.16988-3-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240628160737.16988-1-bethany.jamison@canonical.com> References: <20240628160737.16988-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Pablo Neira Ayuso The generation mask can be updated while netlink dump is in progress. The pipapo set backend walk iterator cannot rely on it to infer what view of the datastructure is to be used. Add notation to specify if user wants to read/update the set. Based on patch from Florian Westphal. Fixes: 2b84e215f874 ("netfilter: nft_set_pipapo: .walk does not deal with generations") Signed-off-by: Pablo Neira Ayuso (backported from commit 29b359cf6d95fd60730533f7f10464e95bd17c73) [bjamison: context conflict with neighboring function defined in h file, fix change applied as given] CVE-2024-27017 Signed-off-by: Bethany Jamison --- include/net/netfilter/nf_tables.h | 13 +++++++++++++ net/netfilter/nf_tables_api.c | 6 ++++++ net/netfilter/nft_set_pipapo.c | 5 +++-- 3 files changed, 22 insertions(+), 2 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 518442bf13515..23ac406a336fe 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -283,9 +283,22 @@ struct nft_set_elem { void *priv; }; +/** + * enum nft_iter_type - nftables set iterator type + * + * @NFT_ITER_READ: read-only iteration over set elements + * @NFT_ITER_UPDATE: iteration under mutex to update set element state + */ +enum nft_iter_type { + NFT_ITER_UNSPEC, + NFT_ITER_READ, + NFT_ITER_UPDATE, +}; + struct nft_set; struct nft_set_iter { u8 genmask; + enum nft_iter_type type:8; unsigned int count; unsigned int skip; int err; diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 70cab61ead086..0973bf20ca011 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -628,6 +628,7 @@ static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) { struct nft_set_iter iter = { .genmask = nft_genmask_next(ctx->net), + .type = NFT_ITER_UPDATE, .fn = nft_mapelem_deactivate, }; @@ -5062,6 +5063,7 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, } iter.genmask = nft_genmask_next(ctx->net); + iter.type = NFT_ITER_UPDATE; iter.skip = 0; iter.count = 0; iter.err = 0; @@ -5137,6 +5139,7 @@ static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) { struct nft_set_iter iter = { .genmask = nft_genmask_next(ctx->net), + .type = NFT_ITER_UPDATE, .fn = nft_mapelem_activate, }; @@ -5494,6 +5497,7 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) args.cb = cb; args.skb = skb; args.iter.genmask = nft_genmask_cur(net); + args.iter.type = NFT_ITER_READ; args.iter.skip = cb->args[0]; args.iter.count = 0; args.iter.err = 0; @@ -6819,6 +6823,7 @@ static int nft_set_flush(struct nft_ctx *ctx, struct nft_set *set, u8 genmask) { struct nft_set_iter iter = { .genmask = genmask, + .type = NFT_ITER_UPDATE, .fn = nft_setelem_flush, }; @@ -10113,6 +10118,7 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx, continue; iter.genmask = nft_genmask_next(ctx->net); + iter.type = NFT_ITER_UPDATE; iter.skip = 0; iter.count = 0; iter.err = 0; diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c index cde08578722ef..56250c12aefa7 100644 --- a/net/netfilter/nft_set_pipapo.c +++ b/net/netfilter/nft_set_pipapo.c @@ -2038,13 +2038,14 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, struct nft_set_iter *iter) { struct nft_pipapo *priv = nft_set_priv(set); - struct net *net = read_pnet(&set->net); const struct nft_pipapo_match *m; const struct nft_pipapo_field *f; int i, r; + WARN_ON_ONCE(iter->type == NFT_ITER_UNSPEC); + rcu_read_lock(); - if (iter->genmask == nft_genmask_cur(net)) + if (iter->type == NFT_ITER_READ) m = rcu_dereference(priv->match); else m = priv->clone;