Unverified Commit 503fa2fc authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!7218 CVE-2024-27017 

Merge Pull Request from: @ci-robot 
 
PR sync from: Wang Hai <wanghai38@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/OZK7RIEFCEORMZY5ZB2JQK5VGZMPVVDC/ 
CVE-2024-27017

Pablo Neira Ayuso (2):
  netfilter: nft_set_pipapo: walk over current view on netlink dump
  netfilter: nf_tables: missing iterator type in lookup walk


-- 
2.17.1
 
https://gitee.com/src-openeuler/kernel/issues/I9L5O8 
 
Link:https://gitee.com/openeuler/kernel/pulls/7218

 

Reviewed-by: default avatarYue Haibing <yuehaibing@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents e99487d8 41f02a7a

include/net/netfilter/nf_tables.h

+13 −0
Original line number Diff line number Diff line
@@ -262,9 +262,22 @@ struct nft_set_elem { 
	void			*priv;

};



/**

 * enum nft_iter_type - nftables set iterator type

 *

 * @NFT_ITER_READ: read-only iteration over set elements

 * @NFT_ITER_UPDATE: iteration under mutex to update set element state

 */

enum nft_iter_type {

	NFT_ITER_UNSPEC,

	NFT_ITER_READ,

	NFT_ITER_UPDATE,

};



struct nft_set;

struct nft_set_iter {

	u8		genmask;

	enum nft_iter_type type:8;

	unsigned int	count;

	unsigned int	skip;

	int		err;

net/netfilter/nf_tables_api.c

+6 −0
Original line number Diff line number Diff line
@@ -593,6 +593,7 @@ static void nft_map_deactivate(const struct nft_ctx *ctx, struct nft_set *set) 
{

	struct nft_set_iter iter = {

		.genmask	= nft_genmask_next(ctx->net),

		.type		= NFT_ITER_UPDATE,

		.fn		= nft_mapelem_deactivate,

	};
@@ -4727,6 +4728,7 @@ int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set, 
		}



		iter.genmask	= nft_genmask_next(ctx->net);

		iter.type	= NFT_ITER_UPDATE;

		iter.skip 	= 0;

		iter.count	= 0;

		iter.err	= 0;
@@ -4780,6 +4782,7 @@ static void nft_map_activate(const struct nft_ctx *ctx, struct nft_set *set) 
{

	struct nft_set_iter iter = {

		.genmask	= nft_genmask_next(ctx->net),

		.type		= NFT_ITER_UPDATE,

		.fn		= nft_mapelem_activate,

	};
@@ -5093,6 +5096,7 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) 
	args.cb			= cb;

	args.skb		= skb;

	args.iter.genmask	= nft_genmask_cur(net);

	args.iter.type		= NFT_ITER_READ;

	args.iter.skip		= cb->args[0];

	args.iter.count		= 0;

	args.iter.err		= 0;
@@ -6022,6 +6026,7 @@ static int nf_tables_delsetelem(struct net *net, struct sock *nlsk, 
	if (nla[NFTA_SET_ELEM_LIST_ELEMENTS] == NULL) {

		struct nft_set_iter iter = {

			.genmask	= genmask,

			.type		= NFT_ITER_UPDATE,

			.fn		= nft_flush_set,

		};

		set->ops->walk(&ctx, set, &iter);
@@ -9131,6 +9136,7 @@ static int nf_tables_check_loops(const struct nft_ctx *ctx, 
				continue;



			iter.genmask	= nft_genmask_next(ctx->net);

			iter.type	= NFT_ITER_UPDATE;

			iter.skip 	= 0;

			iter.count	= 0;

			iter.err	= 0;

net/netfilter/nft_lookup.c

+1 −0
Original line number Diff line number Diff line
@@ -206,6 +206,7 @@ static int nft_lookup_validate(const struct nft_ctx *ctx, 
		return 0;



	iter.genmask	= nft_genmask_next(ctx->net);

	iter.type	= NFT_ITER_UPDATE;

	iter.skip	= 0;

	iter.count	= 0;

	iter.err	= 0;

net/netfilter/nft_set_pipapo.c

+4 −2
Original line number Diff line number Diff line
@@ -2018,13 +2018,15 @@ static void nft_pipapo_walk(const struct nft_ctx *ctx, struct nft_set *set, 
			    struct nft_set_iter *iter)

{

	struct nft_pipapo *priv = nft_set_priv(set);

	struct net *net = read_pnet(&set->net);

	struct nft_pipapo_match *m;

	struct nft_pipapo_field *f;

	int i, r;



	WARN_ON_ONCE(iter->type != NFT_ITER_READ &&

		     iter->type != NFT_ITER_UPDATE);



	rcu_read_lock();

	if (iter->genmask == nft_genmask_cur(net))

	if (iter->type == NFT_ITER_READ)

		m = rcu_dereference(priv->match);

	else

		m = priv->clone;