From c61d4b7404fc413d31521b4a95b6e4e88255feb6 Mon Sep 17 00:00:00 2001 From: Denis Kirjanov Date: Feb 06 2024 18:27:58 +0000 Subject: Merge remote-tracking branch 'origin/cve/linux-4.12' into SLE12-SP5 Conflicts: series.conf --- diff --git a/patches.suse/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch b/patches.suse/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch new file mode 100644 index 0000000..e28a62d --- /dev/null +++ b/patches.suse/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch @@ -0,0 +1,73 @@ +From 567ea1d72d7e56a96320ea78d83b05bb94dd63de Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 20 Jan 2024 22:50:04 +0100 +Subject: [PATCH] netfilter: nf_tables: reject QUEUE/DROP verdict parameters +Git-commit: f342de4e2f33e0e39165d8639387aa6c19dff660 +Patch-mainline: v6.8-rc2 +References: CVE-2024-1086 bsc#1219434 + +This reverts commit e0abdadcc6e1. + +core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP +verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, +or 0. + +Due to the reverted commit, its possible to provide a positive +value, e.g. NF_ACCEPT (1), which results in use-after-free. + +Its not clear to me why this commit was made. + +NF_QUEUE is not used by nftables; "queue" rules in nftables +will result in use of "nft_queue" expression. + +If we later need to allow specifiying errno values from userspace +(do not know why), this has to call NF_DROP_GETERR and check that +"err <= 0" holds true. + +Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters") +Cc: stable@vger.kernel.org +Reported-by: Notselwyn +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Denis Kirjanov +--- + net/netfilter/nf_tables_api.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 97d04decd2e4..112b07e7bf80 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5479,16 +5479,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +- default: +- switch (data->verdict.code & NF_VERDICT_MASK) { +- case NF_ACCEPT: +- case NF_DROP: +- case NF_QUEUE: +- break; +- default: +- return -EINVAL; +- } +- /* fall through */ ++ case NF_ACCEPT: ++ case NF_DROP: ++ case NF_QUEUE: ++ break; + case NFT_CONTINUE: + case NFT_BREAK: + case NFT_RETURN: +@@ -5507,6 +5501,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + chain->use++; + data->verdict.chain = chain; + break; ++ default: ++ return -EINVAL; + } + + desc->len = sizeof(data->verdict); +-- +2.16.4 + diff --git a/series.conf b/series.conf index 5aaae88..b2f5185 100644 --- a/series.conf +++ b/series.conf @@ -64792,6 +64792,7 @@ patches.suse/x86-kvm-Do-not-try-to-disable-kvmclock-if-it-was-not-enabl.patch patches.suse/nvmet-tcp-fix-a-crash-in-nvmet_req_complete.patch patches.suse/xen-netback-don-t-produce-zero-size-SKB-frags.patch + patches.suse/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch patches.suse/tracing-trigger-Fix-to-return-error-if-failed-to-alloc-snapshot.patch # dhowells/linux-fs keys-uefi