From patchwork Wed Aug 30 19:45:39 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1828004 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=ZcLninjZ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RbZY21l8Cz1yZ9 for ; Thu, 31 Aug 2023 05:46:13 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qbR8U-00010i-Fu; Wed, 30 Aug 2023 19:45:54 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qbR8L-0000za-Fw for kernel-team@lists.ubuntu.com; Wed, 30 Aug 2023 19:45:47 +0000 Received: from mail-qk1-f197.google.com (mail-qk1-f197.google.com [209.85.222.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 507923F10A for ; Wed, 30 Aug 2023 19:45:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1693424745; bh=a7xKlaPaGMW44YECu9NK7HNJKIR3LrNoW+kkpeQ6ZbM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=ZcLninjZZhJmg+jeybuJsIL9o7uixuVTWwLgnEF9LC13OqmFMl2Ptu3aQD61Nn2C5 I7nrfo1TZ6CjcGCs+xOS+pjnq9gmFI0wF8wyOHvCBnd7Y1FEJOcRzqXAdr/BlhSLs5 rsoq5b78KycHMVTR8EvyJjbEM5dOm5wNcgDmTd4ImO9BRjuEN1pn8ZePlepAXDoSwd EV1fwbF4gISBMa5R/hnjd8Pckly//CC6YjZwkDxY98wg2ReyqAAAmEXKUc4qqXOO9G W0GUjt7FdtRUz16boaXSwx3qm1L6NshinCujOMsBcRmOCOYZ+jqAKgXSOlPyJiH6cE EWD8qOymUoZgQ== Received: by mail-qk1-f197.google.com with SMTP id af79cd13be357-76de9c09746so4675385a.3 for ; Wed, 30 Aug 2023 12:45:45 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693424744; x=1694029544; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=a7xKlaPaGMW44YECu9NK7HNJKIR3LrNoW+kkpeQ6ZbM=; b=MPFMFs2XalkKxhohnJwEg2dzmBfQ08j6GqgIc0Xoq/opeUuELal2U+eBSBw/+n+Kas L63OwzZn1jkQl0fD9lJhWW0GsjTgd4qBYZAbSpUAwZcvZM3u1UDd+yZYoaDOpL8yYcDR Tpy8H2EPaFKE0YRqvV6mm0BZsaLNtB/f3rtZePmSuV9LnalZg59A5TZBVTIxnjOCmuqq AEPxq2n6spkZS0ZSWRereH7F+wQDB6L3pLhOGy+LaDCsvsey8UohFR+3J4g6XzLTQh26 IQGj9cDpzHEW42nNa8NH4OURk7hvVKYpA63fmzU7Rix/Q6fzTuAWd1pvtngoq9YGvlFb J2nw== X-Gm-Message-State: AOJu0YxyFMeX+YwLfXKwK0TR62aj4RzgBy42um5WxFTab/BvEFvHb2Ll w5wUckgHxqC40omW+WC+xNsZ7jczRCknnpGoJj2XoqfqDMbPYm76pwhZmnJy3FpqnQUuCl9t3qW iSwZBTk9KR8by8cej2BLIAmPDeoks04pC8XUUv/SJQ96xaGg2vA== X-Received: by 2002:a05:620a:1258:b0:76f:b4e:e6f4 with SMTP id a24-20020a05620a125800b0076f0b4ee6f4mr700358qkl.66.1693424744048; Wed, 30 Aug 2023 12:45:44 -0700 (PDT) X-Google-Smtp-Source: AGHT+IH+R+T7iupJFkyHAWeXfWUArQ1gshjk1d3pdbphCyfQD2r0mvbcuVX+gav9SfHtcbVR/Km6Rg== X-Received: by 2002:a05:620a:1258:b0:76f:b4e:e6f4 with SMTP id a24-20020a05620a125800b0076f0b4ee6f4mr700348qkl.66.1693424743788; Wed, 30 Aug 2023 12:45:43 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:23b4:4620:e92e:487c]) by smtp.gmail.com with ESMTPSA id u5-20020a05620a120500b00767b7375eadsm3980179qkj.39.2023.08.30.12.45.43 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Aug 2023 12:45:43 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [Jammy/Jammy-OEM-6.0/Jammy-OEM-6.1/Lunar][PATCH 1/1] netfilter: nf_tables: deactivate catchall elements in next generation Date: Wed, 30 Aug 2023 15:45:39 -0400 Message-Id: <20230830194539.64143-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230830194539.64143-1-yuxuan.luo@canonical.com> References: <20230830194539.64143-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Florian Westphal When flushing, individual set elements are disabled in the next generation via the ->flush callback. Catchall elements are not disabled. This is incorrect and may lead to double-deactivations of catchall elements which then results in memory leaks: WARNING: CPU: 1 PID: 3300 at include/net/netfilter/nf_tables.h:1172 nft_map_deactivate+0x549/0x730 CPU: 1 PID: 3300 Comm: nft Not tainted 6.5.0-rc5+ #60 RIP: 0010:nft_map_deactivate+0x549/0x730 [..] ? nft_map_deactivate+0x549/0x730 nf_tables_delset+0xb66/0xeb0 (the warn is due to nft_use_dec() detecting underflow). Fixes: aaa31047a6d2 ("netfilter: nftables: add catch-all set element support") Reported-by: lonial con Signed-off-by: Florian Westphal (cherry picked from commit 90e5b3462efa37b8bba82d7c4e63683856e188af) CVE-2023-4569 Signed-off-by: Yuxuan Luo --- net/netfilter/nf_tables_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 6d25a2c882ef0..a78efe80ba1fa 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6778,6 +6778,7 @@ static int nft_set_catchall_flush(const struct nft_ctx *ctx, ret = __nft_set_catchall_flush(ctx, set, &elem); if (ret < 0) break; + nft_set_elem_change_active(ctx->net, set, ext); } return ret;