From: Michal Kubecek <mkubecek@suse.cz>
Date: Tue, 6 Feb 2024 11:43:36 +0100
Subject: netfilter: nf_tables: fix 64-bit load issue in nft_byteorder_eval()
Patch-mainline: Never, see commit message for details
References: CVE-2024-0607 bsc#1218915

Recent fix for a 64-bit array access in nft_byteorder_eval() was incomplete
as it only fixes the register store indices but the same problem exists for
load. Fix those too to complete the fix.

Note: the upstream discussion

  https://lore.kernel.org/all/20240206104336.ctigqpkunom2ufmn@lion.mk-sys.cz/

came to the conclusion that as userspace never actually uses multivalue
access and it's unlikely to never need it, the solution should rather be
dropping this feature. However, this seems to be too intrusive for released
products so that we are going with this non-upstream fix instead.

SLE15-SP2-LTSS and older: nft_reg_store64() and nft_reg_load64() helpers
were not introduced yet and are open coded here.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>

------------------------------------------------------------------------------
---
 net/netfilter/nft_byteorder.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -42,19 +42,20 @@ static void nft_byteorder_eval(const struct nft_expr *expr,
 	switch (priv->size) {
 	case 8: {
 		u64 *dst64 = (void *)dst;
-		u64 src64;
+		u64 *src64 = (void *)src;
+		u64 val64;
 
 		switch (priv->op) {
 		case NFT_BYTEORDER_NTOH:
 			for (i = 0; i < priv->len / 8; i++) {
-				src64 = get_unaligned((u64 *)&src[i]);
-				put_unaligned_be64(src64, &dst64[i]);
+				val64 = get_unaligned((u64 *)&src64[i]);
+				put_unaligned_be64(val64, &dst64[i]);
 			}
 			break;
 		case NFT_BYTEORDER_HTON:
 			for (i = 0; i < priv->len / 8; i++) {
-				src64 = get_unaligned_be64(&src[i]);
-				put_unaligned(src64, (u64 *)&dst64[i]);
+				val64 = get_unaligned_be64(&src64[i]);
+				put_unaligned(val64, (u64 *)&dst64[i]);
 			}
 			break;
 		}