From d9304f7a1412dc2060e96998097619e98c2cdedf Mon Sep 17 00:00:00 2001 From: eaglegai Date: Mon, 20 Oct 2025 06:12:42 +0000 Subject: [PATCH] backport upstream patches --- ...luate-compact-STMT_F_STATEFUL-checks.patch | 81 +++++++++++ ...llow-nat-map-with-specified-protocol.patch | 56 ++++++++ ...nt-update-cache-for-anonymous-chains.patch | 56 ++++++++ ...tatements-in-set-and-map-definitions.patch | 88 ++++++++++++ ...nt-BUG-when-asked-to-list-synproxies.patch | 130 ++++++++++++++++++ ...ake-sure-timeout-list-is-initialised.patch | 104 ++++++++++++++ ...n-missing-NFTNL_OBJ_CT_TIMEOUT_ARRAY.patch | 40 ++++++ ...r-deref-parsing-set-elem-expressions.patch | 35 +++++ ...own-types-when-deserializing-objects.patch | 37 +++++ ...return-error-if-table-does-not-exist.patch | 59 ++++++++ ...-crash-when-ops-doesnt-support-udata.patch | 37 +++++ nftables.spec | 31 ++++- 12 files changed, 753 insertions(+), 1 deletion(-) create mode 100644 backport-evaluate-compact-STMT_F_STATEFUL-checks.patch create mode 100644 backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch create mode 100644 backport-evaluate-dont-update-cache-for-anonymous-chains.patch create mode 100644 backport-evaluate-only-allow-stateful-statements-in-set-and-map-definitions.patch create mode 100644 backport-json-dont-BUG-when-asked-to-list-synproxies.patch create mode 100644 backport-json-make-sure-timeout-list-is-initialised.patch create mode 100644 backport-netlink-Avoid-crash-upon-missing-NFTNL_OBJ_CT_TIMEOUT_ARRAY.patch create mode 100644 backport-netlink-Avoid-potential-NULL-ptr-deref-parsing-set-elem-expressions.patch create mode 100644 backport-netlink-Catch-unknown-types-when-deserializing-objects.patch create mode 100644 backport-rule-return-error-if-table-does-not-exist.patch create mode 100644 backport-src-netlink-fix-crash-when-ops-doesnt-support-udata.patch diff --git a/backport-evaluate-compact-STMT_F_STATEFUL-checks.patch b/backport-evaluate-compact-STMT_F_STATEFUL-checks.patch new file mode 100644 index 0000000..b6653de --- /dev/null +++ b/backport-evaluate-compact-STMT_F_STATEFUL-checks.patch @@ -0,0 +1,81 @@ +From 36bd6d0088bca1087aeccfe14aaa786200d755bc Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 31 Mar 2025 17:23:19 +0200 +Subject: evaluate: compact STMT_F_STATEFUL checks + +We'll gain another F_STATEFUL check in a followup patch, +so lets condense the pattern into a helper to reduce copypaste. + +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:context adjust +Reference:https://git.netfilter.org/nftables/commit/?id=36bd6d0088bca1087aeccfe14aaa786200d755bc + +--- + src/evaluate.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index 0db3d80f..92bf47a3 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -3453,6 +3453,17 @@ static int stmt_evaluate_payload(struct eval_ctx *ctx, struct stmt *stmt) + return expr_evaluate(ctx, &stmt->payload.val); + } + ++static int stmt_evaluate_stateful(struct eval_ctx *ctx, struct stmt *stmt, const char *name) ++{ ++ if (stmt_evaluate(ctx, stmt) < 0) ++ return -1; ++ ++ if (!(stmt->flags & STMT_F_STATEFUL)) ++ return stmt_error(ctx, stmt, "%s statement must be stateful", name); ++ ++ return 0; ++} ++ + static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) + { + struct expr *key, *set, *setref; +@@ -3526,11 +3537,8 @@ static int stmt_evaluate_meter(struct eval_ctx *ctx, struct stmt *stmt) + setref->set->desc.size = stmt->meter.size; + stmt->meter.set = setref; + +- if (stmt_evaluate(ctx, stmt->meter.stmt) < 0) ++ if (stmt_evaluate_stateful(ctx, stmt->meter.stmt, "meter") < 0) + return -1; +- if (!(stmt->meter.stmt->flags & STMT_F_STATEFUL)) +- return stmt_binary_error(ctx, stmt->meter.stmt, stmt, +- "meter statement must be stateful"); + + return 0; + } +@@ -4656,11 +4664,8 @@ static int stmt_evaluate_set(struct eval_ctx *ctx, struct stmt *stmt) + return expr_error(ctx->msgs, stmt->set.key, + "Key expression comments are not supported"); + list_for_each_entry(this, &stmt->set.stmt_list, list) { +- if (stmt_evaluate(ctx, this) < 0) ++ if (stmt_evaluate_stateful(ctx, this, "set") < 0) + return -1; +- if (!(this->flags & STMT_F_STATEFUL)) +- return stmt_error(ctx, this, +- "statement must be stateful"); + } + + return 0; +@@ -4720,11 +4725,8 @@ static int stmt_evaluate_map(struct eval_ctx *ctx, struct stmt *stmt) + "Data expression timeouts are not supported"); + + list_for_each_entry(this, &stmt->map.stmt_list, list) { +- if (stmt_evaluate(ctx, this) < 0) ++ if (stmt_evaluate_stateful(ctx, this, "map") < 0) + return -1; +- if (!(this->flags & STMT_F_STATEFUL)) +- return stmt_error(ctx, this, +- "statement must be stateful"); + } + + return 0; +-- +cgit v1.2.3 diff --git a/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch b/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch new file mode 100644 index 0000000..90ec24f --- /dev/null +++ b/backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch @@ -0,0 +1,56 @@ +From 43cf4a2973ee9e3ab20edce47c6a054485707592 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 20 Mar 2025 09:39:20 +0100 +Subject: evaluate: don't allow nat map with specified protocol + +Included bogon asserts: +src/netlink_linearize.c:1305: netlink_gen_nat_stmt: Assertion `stmt->nat.proto == NULL' failed. + +The comment right above the assertion says: + nat_stmt evaluation step doesn't allow + STMT_NAT_F_CONCAT && stmt->nat.proto. + +... except it does allow it. Disable this. + +Fixes: c68314dd4263 ("src: infer NAT mapping with concatenation from set") +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:change context in evaluate.c +Reference:https://git.netfilter.org/nftables/commit/?id=43cf4a2973ee9e3ab20edce47c6a054485707592 + +--- + src/evaluate.c | 4 ++++ + tests/shell/testcases/bogons/nft-j/nat_map_and_protocol_assert | 5 +++++ + 2 files changed, 9 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-j/nat_map_and_protocol_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index 95b9b3d5..3a453d01 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -4196,6 +4196,10 @@ static int stmt_evaluate_nat_map(struct eval_ctx *ctx, struct stmt *stmt) + int addr_type; + int err; + ++ if (stmt->nat.proto) ++ return stmt_binary_error(ctx, stmt, stmt->nat.proto, ++ "nat map and protocol are mutually exclusive"); ++ + switch (stmt->nat.family) { + case NFPROTO_IPV4: + addr_type = TYPE_IPADDR; +diff --git a/tests/shell/testcases/bogons/nft-j/nat_map_and_protocol_assert b/tests/shell/testcases/bogons/nft-j/nat_map_and_protocol_assert +new file mode 100644 +index 00000000..67f2ae87 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-j/nat_map_and_protocol_assert +@@ -0,0 +1,5 @@ ++table t { ++ chain y { ++ snat to ip saddr . tcp sport map { 1.1.1.1 . 1 : 1.1.1.2 . 1 } : 6 ++ } ++} +-- +cgit v1.2.3 + diff --git a/backport-evaluate-dont-update-cache-for-anonymous-chains.patch b/backport-evaluate-dont-update-cache-for-anonymous-chains.patch new file mode 100644 index 0000000..37c7540 --- /dev/null +++ b/backport-evaluate-dont-update-cache-for-anonymous-chains.patch @@ -0,0 +1,56 @@ +From bd1fc6c740535d1ad3f38f8ba9c539c14f1732f3 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Wed, 19 Mar 2025 21:05:53 +0100 +Subject: evaluate: don't update cache for anonymous chains + +Chain lookup needs a name, not a numerical id. +After patch, loading bogon gives following errors: + +Error: No symbol type information a b index 1 10.1.26.a + +v2: Don't return an error, just make it a no-op (Pablo Neira Ayuso) + +Fixes: c330152b7f77 ("src: support for implicit chain bindings") +Signed-off-by: Florian Westphal + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=bd1fc6c740535d1ad3f38f8ba9c539c14f1732f3 + +--- + src/evaluate.c | 4 ++++ + .../testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash | 8 ++++++++ + 2 files changed, 12 insertions(+) + create mode 100644 tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash + +diff --git a/src/evaluate.c b/src/evaluate.c +index a2796119..785c4fab 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -5371,6 +5371,10 @@ static int rule_cache_update(struct eval_ctx *ctx, enum cmd_ops op) + if (!table) + return table_not_found(ctx); + ++ /* chain is anonymous, adding new rules via index is not supported. */ ++ if (!rule->handle.chain.name) ++ return 0; ++ + chain = chain_cache_find(table, rule->handle.chain.name); + if (!chain) + return chain_not_found(ctx); +diff --git a/tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash b/tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash +new file mode 100644 +index 00000000..310486c5 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/null_deref_on_anon_chain_update_crash +@@ -0,0 +1,8 @@ ++table ip f { ++ chain c { ++ jump { ++ accept ++ } ++ } ++} ++a b index 1 10.1.26.a +-- +cgit v1.2.3 + diff --git a/backport-evaluate-only-allow-stateful-statements-in-set-and-map-definitions.patch b/backport-evaluate-only-allow-stateful-statements-in-set-and-map-definitions.patch new file mode 100644 index 0000000..bd2bba0 --- /dev/null +++ b/backport-evaluate-only-allow-stateful-statements-in-set-and-map-definitions.patch @@ -0,0 +1,88 @@ +From 0acd81559ec9efe2cc3d869bfc8e5a0b4d888456 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Mon, 31 Mar 2025 17:23:20 +0200 +Subject: evaluate: only allow stateful statements in set and map definitions + +The bison parser doesn't allow this to happen due to grammar +restrictions, but the json input has no such issues. + +The bogon input assigns 'notrack' which triggers: +BUG: unknown stateful statement type 19 +nft: src/netlink_linearize.c:1061: netlink_gen_stmt_stateful: Assertion `0' failed. + +After patch, we get: +Error: map statement must be stateful + +Fixes: 07958ec53830 ("json: add set statement list support") +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=0acd81559ec9efe2cc3d869bfc8e5a0b4d888456 + +--- + src/evaluate.c | 5 +++- + .../unkown_stateful_statement_type_19_assert | 34 ++++++++++++++++++++++ + 2 files changed, 38 insertions(+), 1 deletion(-) + create mode 100644 tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert + +diff --git a/src/evaluate.c b/src/evaluate.c +index 92bf47a3..a3c8f560 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -5151,8 +5151,11 @@ static int set_evaluate(struct eval_ctx *ctx, struct set *set) + if (set->timeout) + set->flags |= NFT_SET_TIMEOUT; + +- list_for_each_entry(stmt, &set->stmt_list, list) ++ list_for_each_entry(stmt, &set->stmt_list, list) { ++ if (stmt_evaluate_stateful(ctx, stmt,type) < 0) ++ return -1; + num_stmts++; ++ } + + if (num_stmts > 1) + set->flags |= NFT_SET_EXPR; +diff --git a/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert b/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert +new file mode 100644 +index 00000000..e8a0f768 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-j-f/unkown_stateful_statement_type_19_assert +@@ -0,0 +1,34 @@ ++{ ++ "nftables": [ ++ { ++ "metainfo": { ++ "version": "VERSION", ++ "release_name": "RELEASE_NAME", ++ "json_schema_version": 1 ++ } ++ }, ++ { ++ "table": { ++ "family": "ip", ++ "name": "t", ++ "handle": 0 ++ } ++ }, ++ { ++ "map": { ++ "family": "ip", ++ "name": "m", ++ "table": "t", ++ "type": "ipv4_addr", ++ "handle": 0, ++ "map": "mark", ++ "stmt": [ ++ { ++ "notrack": null ++ } ++ ] ++ } ++ } ++ ] ++} ++ +-- +cgit v1.2.3 + diff --git a/backport-json-dont-BUG-when-asked-to-list-synproxies.patch b/backport-json-dont-BUG-when-asked-to-list-synproxies.patch new file mode 100644 index 0000000..85b5434 --- /dev/null +++ b/backport-json-dont-BUG-when-asked-to-list-synproxies.patch @@ -0,0 +1,130 @@ +From 40b0708ca6dee4829a9b6e1c2f4677ff2c206b43 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 27 Mar 2025 17:32:00 +0100 +Subject: json: don't BUG when asked to list synproxies + +"-j list synproxys" triggers a BUG(). + +Rewrite this so that all enum values are handled so the compiler can alert +us to a missing value in case there are more commands in the future. + +While at it, implement a few low-hanging fruites as well. + +Not-yet-supported cases are simply ignored. + +v2: return EOPNOTSUPP for unsupported commands (Pablo Neira Ayuso) + +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:change context about do_command_list_json +Reference:https://git.netfilter.org/nftables/commit/?id=40b0708ca6dee4829a9b6e1c2f4677ff2c206b43 + +--- + src/evaluate.c | 6 ++++-- + src/json.c | 26 ++++++++++++++++++++++++-- + src/rule.c | 12 ++++++++++-- + 3 files changed, 38 insertions(+), 6 deletions(-) + +diff --git a/src/evaluate.c b/src/evaluate.c +index ffb23005..0db3d80f 100644 +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -6302,7 +6302,9 @@ int cmd_evaluate(struct eval_ctx *ctx, struct cmd *cmd) + return cmd_evaluate_monitor(ctx, cmd); + case CMD_IMPORT: + return cmd_evaluate_import(ctx, cmd); +- default: +- BUG("invalid command operation %u\n", cmd->op); ++ case CMD_INVALID: ++ break; + }; ++ ++ BUG("invalid command operation %u\n", cmd->op); + } +diff --git a/src/json.c b/src/json.c +index bcdcd56b..41a57201 100644 +--- a/src/json.c ++++ b/src/json.c +@@ -1957,7 +1957,7 @@ static json_t *generate_json_metainfo(void) + int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd) + { + struct table *table = NULL; +- json_t *root; ++ json_t *root = NULL; + + if (cmd->handle.table.name) + table = table_cache_find(&ctx->nft->cache.table_cache, +@@ -2017,6 +2017,13 @@ int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd) + case CMD_OBJ_CT_HELPERS: + root = do_list_obj_json(ctx, cmd, NFT_OBJECT_CT_HELPER); + break; ++ case CMD_OBJ_CT_TIMEOUT: ++ case CMD_OBJ_CT_TIMEOUTS: ++ root = do_list_obj_json(ctx, cmd, NFT_OBJECT_CT_TIMEOUT); ++ case CMD_OBJ_CT_EXPECT: ++ case CMD_OBJ_CT_EXPECTATIONS: ++ root = do_list_obj_json(ctx, cmd, NFT_OBJECT_CT_EXPECT); ++ break; + case CMD_OBJ_LIMIT: + case CMD_OBJ_LIMITS: + root = do_list_obj_json(ctx, cmd, NFT_OBJECT_LIMIT); +@@ -2025,14 +2032,29 @@ int do_command_list_json(struct netlink_ctx *ctx, struct cmd *cmd) + case CMD_OBJ_SECMARKS: + root = do_list_obj_json(ctx, cmd, NFT_OBJECT_SECMARK); + break; ++ case CMD_OBJ_SYNPROXY: ++ case CMD_OBJ_SYNPROXYS: ++ root = do_list_obj_json(ctx, cmd, NFT_OBJECT_SYNPROXY); ++ break; + case CMD_OBJ_FLOWTABLE: + root = do_list_flowtable_json(ctx, cmd, table); + break; + case CMD_OBJ_FLOWTABLES: + root = do_list_flowtables_json(ctx, cmd); + break; +- default: ++ case CMD_OBJ_HOOKS: ++ return 0; ++ case CMD_OBJ_MONITOR: ++ case CMD_OBJ_MARKUP: ++ case CMD_OBJ_SETELEMS: ++ case CMD_OBJ_RULE: ++ case CMD_OBJ_EXPR: ++ case CMD_OBJ_ELEMENTS: ++ errno = EOPNOTSUPP; ++ return -1; ++ case CMD_OBJ_INVALID: + BUG("invalid command object type %u\n", cmd->obj); ++ break; + } + + if (!json_is_array(root)) { +diff --git a/src/rule.c b/src/rule.c +index 00fbbc4c..80315837 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -2445,10 +2445,18 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) + return do_list_flowtables(ctx, cmd); + case CMD_OBJ_HOOKS: + return do_list_hooks(ctx, cmd); +- default: +- BUG("invalid command object type %u\n", cmd->obj); ++ case CMD_OBJ_MONITOR: ++ case CMD_OBJ_MARKUP: ++ case CMD_OBJ_SETELEMS: ++ case CMD_OBJ_EXPR: ++ case CMD_OBJ_ELEMENTS: ++ errno = EOPNOTSUPP; ++ return -1; ++ case CMD_OBJ_INVALID: ++ break; + } + ++ BUG("invalid command object type %u\n", cmd->obj); + return 0; + } + +-- +cgit v1.2.3 + diff --git a/backport-json-make-sure-timeout-list-is-initialised.patch b/backport-json-make-sure-timeout-list-is-initialised.patch new file mode 100644 index 0000000..93ec437 --- /dev/null +++ b/backport-json-make-sure-timeout-list-is-initialised.patch @@ -0,0 +1,104 @@ +From 0298bc012e020b2fca8ecc60b0091798d091e1fd Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 21 Mar 2025 12:53:40 +0100 +Subject: json: make sure timeout list is initialised + +On parser error, obj_free will iterate this list. +Included json bogon crashes due to null deref because +list head initialisation did not yet happen. + +Fixes: c82a26ebf7e9 ("json: Add ct timeout support") +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:delete modify about test assert_failures +Reference:https://git.netfilter.org/nftables/commit/?id=0298bc012e020b2fca8ecc60b0091798d091e1fd + +--- + src/parser_json.c | 2 +- + .../testcases/bogons/nft-j-f/ct_timeout_null_crash | 54 ++++++++++++++++++++++ + 2 files changed, 84 insertions(+), 7 deletions(-) + create mode 100644 tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash + +diff --git a/src/parser_json.c b/src/parser_json.c +index 17bc38b5..dd085d78 100644 +--- a/src/parser_json.c ++++ b/src/parser_json.c +@@ -3722,6 +3722,7 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, + break; + case NFT_OBJECT_CT_TIMEOUT: + cmd_obj = CMD_OBJ_CT_TIMEOUT; ++ init_list_head(&obj->ct_timeout.timeout_list); + obj->type = NFT_OBJECT_CT_TIMEOUT; + if (!json_unpack(root, "{s:s}", "protocol", &tmp)) { + if (!strcmp(tmp, "tcp")) { +@@ -3740,7 +3741,6 @@ static struct cmd *json_parse_cmd_add_object(struct json_ctx *ctx, + } + obj->ct_timeout.l3proto = l3proto; + +- init_list_head(&obj->ct_timeout.timeout_list); + if (json_parse_ct_timeout_policy(ctx, root, obj)) + goto err_free_obj; + break; +diff --git a/tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash b/tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash +new file mode 100644 +index 00000000..c8c662e9 +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-j-f/ct_timeout_null_crash +@@ -0,0 +1,54 @@ ++{ ++ "nftables": [ ++ { ++ "metainfo": { ++ "version": "VERSION", ++ "release_name": "RELEASE_NAME", ++ "json_schema_version": 1 ++ } ++ }, ++ { ++ "table": { ++ "family": "ip", ++ "name": "filter", ++ "handle": 0 ++ } ++ }, ++ { ++ "chain": { ++ "family": "ip", ++ "table": "filter", ++ "name": "c", ++ "handle": 0 ++ } ++ }, ++ { ++ "ct timeout": { ++ "family": "ip", ++ "name": "cttime", ++ "table": "filter", ++ "handle": 0, ++ "protocol": "Xcp", ++ "l3proto": "ip", ++ "policy": { ++ "established": 123, ++ "close": 12 ++ } ++ } ++ }, ++ { ++ "rule": { ++ "family": "ip", ++ "table": "filter", ++ "chain": "c", ++ "handle": 0, ++ "expr": [ ++ { ++ "ct timeout": "cttime" ++ } ++ ] ++ } ++ } ++ ] ++} ++ +-- +cgit v1.2.3 diff --git a/backport-netlink-Avoid-crash-upon-missing-NFTNL_OBJ_CT_TIMEOUT_ARRAY.patch b/backport-netlink-Avoid-crash-upon-missing-NFTNL_OBJ_CT_TIMEOUT_ARRAY.patch new file mode 100644 index 0000000..e97088b --- /dev/null +++ b/backport-netlink-Avoid-crash-upon-missing-NFTNL_OBJ_CT_TIMEOUT_ARRAY.patch @@ -0,0 +1,40 @@ +From 2a38f458f12bc032dac1b3ba63f95ca5a3c03fbd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 12 Jun 2025 20:17:22 +0200 +Subject: netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY + attribute + +If missing, the memcpy call ends up reading from address zero. + +Fixes: c7c94802679cd ("src: add ct timeout support") +Signed-off-by: Phil Sutter +Reviewed-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=2a38f458f12bc032dac1b3ba63f95ca5a3c03fbd + +--- + src/netlink.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/netlink.c b/src/netlink.c +index be1fefc0..73fe579a 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -1769,9 +1769,10 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, + init_list_head(&obj->ct_timeout.timeout_list); + obj->ct_timeout.l3proto = nftnl_obj_get_u16(nlo, NFTNL_OBJ_CT_TIMEOUT_L3PROTO); + obj->ct_timeout.l4proto = nftnl_obj_get_u8(nlo, NFTNL_OBJ_CT_TIMEOUT_L4PROTO); +- memcpy(obj->ct_timeout.timeout, +- nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY), +- NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t)); ++ if (nftnl_obj_is_set(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY)) ++ memcpy(obj->ct_timeout.timeout, ++ nftnl_obj_get(nlo, NFTNL_OBJ_CT_TIMEOUT_ARRAY), ++ NFTNL_CTTIMEOUT_ARRAY_MAX * sizeof(uint32_t)); + break; + case NFT_OBJECT_LIMIT: + obj->limit.rate = +-- +cgit v1.2.3 + diff --git a/backport-netlink-Avoid-potential-NULL-ptr-deref-parsing-set-elem-expressions.patch b/backport-netlink-Avoid-potential-NULL-ptr-deref-parsing-set-elem-expressions.patch new file mode 100644 index 0000000..398eb5e --- /dev/null +++ b/backport-netlink-Avoid-potential-NULL-ptr-deref-parsing-set-elem-expressions.patch @@ -0,0 +1,35 @@ +From 89645d04106d45d5e23b6d5206777dad1fb3e6bf Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 16 May 2025 20:08:05 +0200 +Subject: netlink: Avoid potential NULL-ptr deref parsing set elem expressions + +Since netlink_parse_set_expr() may return NULL, the following deref must +be guarded. + +Fixes: e6d1d0d611958 ("src: add set element multi-statement support") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=89645d04106d45d5e23b6d5206777dad1fb3e6bf + +--- + src/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index d8891245..0724190a 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -969,7 +969,8 @@ static int set_elem_parse_expressions(struct nftnl_expr *e, void *data) + struct stmt *stmt; + + stmt = netlink_parse_set_expr(set, cache, e); +- list_add_tail(&stmt->list, &setelem_parse_ctx->stmt_list); ++ if (stmt) ++ list_add_tail(&stmt->list, &setelem_parse_ctx->stmt_list); + + return 0; + } +-- +cgit v1.2.3 + diff --git a/backport-netlink-Catch-unknown-types-when-deserializing-objects.patch b/backport-netlink-Catch-unknown-types-when-deserializing-objects.patch new file mode 100644 index 0000000..a8f92ee --- /dev/null +++ b/backport-netlink-Catch-unknown-types-when-deserializing-objects.patch @@ -0,0 +1,37 @@ +From 690f19eadde5cb607ec3d8d471c86d558c7229bd Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Fri, 16 May 2025 19:41:19 +0200 +Subject: netlink: Catch unknown types when deserializing objects + +Print an error message and discard the object instead of returning it to +the caller. At least when trying to print it, we would hit an assert() +in obj_type_name() anyway. + +Fixes: 4756d92e517ae ("src: listing of stateful objects") +Signed-off-by: Phil Sutter + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=690f19eadde5cb607ec3d8d471c86d558c7229bd + +--- + src/netlink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/src/netlink.c b/src/netlink.c +index 0724190a..52010c74 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -1802,6 +1802,10 @@ struct obj *netlink_delinearize_obj(struct netlink_ctx *ctx, + obj->synproxy.flags = + nftnl_obj_get_u32(nlo, NFTNL_OBJ_SYNPROXY_FLAGS); + break; ++ default: ++ netlink_io_error(ctx, NULL, "Unknown object type %u", type); ++ obj_free(obj); ++ return NULL; + } + obj->type = type; + +-- +cgit v1.2.3 + diff --git a/backport-rule-return-error-if-table-does-not-exist.patch b/backport-rule-return-error-if-table-does-not-exist.patch new file mode 100644 index 0000000..0750e86 --- /dev/null +++ b/backport-rule-return-error-if-table-does-not-exist.patch @@ -0,0 +1,59 @@ +From 853d3a2d3cbdc7aab16d3d33999d00b32a6db7ce Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 20 Mar 2025 14:31:42 +0100 +Subject: rule: return error if table does not exist + +The bogon triggers segfault due to NULL dereference. Error out and set +errno to ENOENT; caller uses strerror() in the errmsg. + +After fix, loading reproducer results in: +/tmp/A:2:1-18: Error: Could not process rule: No such file or directory +list table inet p +^^^^^^^^^^^^^^^^^^ + +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:NA +Reference:https://git.netfilter.org/nftables/commit/?id=853d3a2d3cbdc7aab16d3d33999d00b32a6db7ce + +--- + src/rule.c | 8 +++++++- + tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash | 3 +++ + 2 files changed, 10 insertions(+), 1 deletion(-) + create mode 100644 tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash + +diff --git a/src/rule.c b/src/rule.c +index 3edfa471..00fbbc4c 100644 +--- a/src/rule.c ++++ b/src/rule.c +@@ -2380,10 +2380,16 @@ static int do_command_list(struct netlink_ctx *ctx, struct cmd *cmd) + if (nft_output_json(&ctx->nft->output)) + return do_command_list_json(ctx, cmd); + +- if (cmd->handle.table.name != NULL) ++ if (cmd->handle.table.name != NULL) { + table = table_cache_find(&ctx->nft->cache.table_cache, + cmd->handle.table.name, + cmd->handle.family); ++ if (!table) { ++ errno = ENOENT; ++ return -1; ++ } ++ } ++ + switch (cmd->obj) { + case CMD_OBJ_TABLE: + if (!cmd->handle.table.name) +diff --git a/tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash b/tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash +new file mode 100644 +index 00000000..b802430b +--- /dev/null ++++ b/tests/shell/testcases/bogons/nft-f/list_a_deleted_table_crash +@@ -0,0 +1,3 @@ ++table inet p ++list table inet p ++delete table inet p +-- +cgit v1.2.3 + diff --git a/backport-src-netlink-fix-crash-when-ops-doesnt-support-udata.patch b/backport-src-netlink-fix-crash-when-ops-doesnt-support-udata.patch new file mode 100644 index 0000000..b096f7c --- /dev/null +++ b/backport-src-netlink-fix-crash-when-ops-doesnt-support-udata.patch @@ -0,0 +1,37 @@ +From be737a1986bfee0ddea4bee7863dca0123a2bcbc Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 8 May 2025 16:29:04 +0200 +Subject: src: netlink: fix crash when ops doesn't support udata + +Whenever a new version adds udata support to an expression, then old +versions of nft will crash when trying to list such a ruleset generated +by a more recent version of nftables. + +Fix this by falling back to 'type' format. + +Fixes: 6e48df5329ea ('src: add "typeof" build/parse/print support') +Signed-off-by: Florian Westphal +Reviewed-by: Pablo Neira Ayuso + +Conflict:modify expr_ops_by_type_u32 to expr_ops_by_type +Reference:https://git.netfilter.org/nftables/commit/?id=be737a1986bfee0ddea4bee7863dca0123a2bcbc + +--- + src/netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index 86ca3214..d8891245 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -937,7 +937,7 @@ static struct expr *set_make_key(const struct nftnl_udata *attr) + + etype = nftnl_udata_get_u32(ud[NFTNL_UDATA_SET_TYPEOF_EXPR]); + ops = expr_ops_by_type(etype); +- if (!ops) ++ if (!ops || !ops->parse_udata) + return NULL; + + expr = ops->parse_udata(ud[NFTNL_UDATA_SET_TYPEOF_DATA]); +-- +cgit v1.2.3 diff --git a/nftables.spec b/nftables.spec index 3ac6817..e27b6f8 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,6 +1,6 @@ Name: nftables Version: 1.0.0 -Release: 15 +Release: 16 Epoch: 1 Summary: A subsystem of the Linux kernel processing network data License: GPLv2 @@ -107,6 +107,18 @@ Patch86: backport-libnftables-Zero-ctx-vars-after-freeing-it.patch Patch87: backport-cache-add-helper-function-to-fill-up-the-rule-cache.patch Patch88: backport-cache-release-pending-rules-when-chain-binding-lookup-fails.patch +Patch89: backport-evaluate-dont-allow-nat-map-with-specified-protocol.patch +Patch90: backport-rule-return-error-if-table-does-not-exist.patch +Patch91: backport-json-make-sure-timeout-list-is-initialised.patch +Patch92: backport-evaluate-dont-update-cache-for-anonymous-chains.patch +Patch93: backport-json-dont-BUG-when-asked-to-list-synproxies.patch +Patch94: backport-evaluate-compact-STMT_F_STATEFUL-checks.patch +Patch95: backport-evaluate-only-allow-stateful-statements-in-set-and-map-definitions.patch +Patch96: backport-src-netlink-fix-crash-when-ops-doesnt-support-udata.patch +Patch97: backport-netlink-Catch-unknown-types-when-deserializing-objects.patch +Patch98: backport-netlink-Avoid-potential-NULL-ptr-deref-parsing-set-elem-expressions.patch +Patch99: backport-netlink-Avoid-crash-upon-missing-NFTNL_OBJ_CT_TIMEOUT_ARRAY.patch + BuildRequires: gcc flex bison libmnl-devel gmp-devel readline-devel libnftnl-devel docbook2X systemd BuildRequires: iptables-devel jansson-devel python3-devel BuildRequires: chrpath @@ -205,6 +217,23 @@ echo "%{_libdir}" > %{buildroot}/etc/ld.so.conf.d/%{name}-%{_arch}.conf %{python3_sitelib}/nftables/ %changelog +* Mon Oct 20 2025 gaihuiying - 1:1.0.0-16 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:backport upstream patches + evaluate: don't allow nat map with specified protocol + rule: return error if table does not exist + json: make sure timeout list is initialised + evaluate: don't update cache for anonymous chains + json: don't BUG when asked to list synproxies + evaluate: compact STMT_F_STATEFUL checks + evaluate: only allow stateful statements in set and map definitions + netlink: fix crash when ops doesn't support udata + netlink: Catch unknown types when deserializing objects + netlink: Avoid potential NULL-ptr deref parsing set elem expressions + netlink: Avoid crash upon missing NFTNL_OBJ_CT_TIMEOUT_ARRAY + * Mon Jan 27 2025 yanglu - 1:1.0.0-15 - Type:bugfix - CVE:NA -- Gitee