[LTS 9.2] netfilter: CVE-2024-0607, CVE-2024-0193, CVE-2024-42109, CVE-2024-54031, CVE-2024-35899 + non-CVE bugfixes #794
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kerneltoast
requested changes
Jan 1, 2026
Collaborator
kerneltoast
left a comment
kerneltoast
left a comment
There was a problem hiding this comment.
commit-author is wrong on 829afdf58cc29 netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval(), it incorrectly lists the author of the RHEL backport commit that was used, instead of the author of the commit listed in the commit field.
Also, backport upstream commit 24cea9677025e netfilter: nf_tables: flush pending destroy work before exit_net release and put it right before 9524d09dd9f14 netfilter: nf_tables: make destruction work queue pernet. The reason is because 9524d09 is supposed to delete the nf_tables_trans_destroy_flush_work() call from nf_tables_module_exit(), which was added by 24cea96. So we should have 24cea96 picked in the history so that we know not to backport 24cea96 in the future.
kerneltoast
requested changes
Jan 1, 2026
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-14
branch
from
2e7b321 to
0e59c88
Compare
pvts-mat
changed the title
jira VULN-42268 subsystem-update centos-stream-9 f875124 cve CVE-2024-0607 commit-author Dan Carpenter <dan.carpenter@linaro.org> commit c301f09 upstream-diff Conflicts resolution: include/net/netfilter/nf_tables.h Accounted for the missing 7278b3c which introduced new functions getting in the way. No actual diff in the end. net/netfilter/nft_byteorder.c Accounted for the missing d86473b. Preserved the change on the first argument of `nft_reg_store64()' call. The problem is in nft_byteorder_eval() where we are iterating through a loop and writing to dst[0], dst[1], dst[2] and so on... On each iteration we are writing 8 bytes. But dst[] is an array of u32 so each element only has space for 4 bytes. That means that every iteration overwrites part of the previous element. I spotted this bug while reviewing commit caf3ef7 ("netfilter: nf_tables: prevent OOB access in nft_byteorder_eval") which is a related issue. I think that the reason we have not detected this bug in testing is that most of time we only write one element. Fixes: ce1e798 ("netfilter: nft_byteorder: provide 64bit le/be conversion") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit c301f09) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-6825 subsystem-update centos-stream-9 f875124 cve CVE-2024-0193 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 7315dc1 NFT_MSG_DELSET deactivates all elements in the set, skip set->ops->commit() to avoid the unnecessary clone (for the pipapo case) as well as the sync GC cycle, which could deactivate again expired elements in such set. Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Reported-by: Kevin Rich <kevinrich1337@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 7315dc1) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-430 subsystem-update centos-stream-9 f875124 cve-bf CVE-2023-4244 commit-author Florian Westphal <fw@strlen.de> commit 08e4c8c If a transaction is aborted, we should mark the to-be-released NEWSET dead, just like commit path does for DEL and DESTROYSET commands. In both cases all remaining elements will be released via set->ops->destroy(). The existing abort code does NOT post the actual release to the work queue. Also the entire __nf_tables_abort() function is wrapped in gc_seq begin/end pair. Therefore, async gc worker will never try to release the pending set elements, as gc sequence is always stale. It might be possible to speed up transaction aborts via work queue too, this would result in a race and a possible use-after-free. So fix this before it becomes an issue. Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 08e4c8c) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-158865 subsystem-update centos-stream-9 f875124 cve-bf CVE-2023-52923 commit-author Florian Westphal <fw@strlen.de> commit ffb40fb No need to use GFP_ATOMIC here. Fixes: f6c383b ("netfilter: nf_tables: adapt set backend to use GC transaction API") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit ffb40fb) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-430 cve-bf CVE-2023-4244 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 6b1ca88 Delete from packet path relies on the garbage collector to purge elements with NFT_SET_ELEM_DEAD_BIT on. Skip these dead elements from nf_tables_dump_setelem() path, I very rarely see tests/shell/testcases/maps/typeof_maps_add_delete reports [DUMP FAILED] showing a mismatch in the expected output with an element that should not be there. If the netlink dump happens before GC worker run, it might show dead elements in the ruleset listing. nft_rhash_get() already skips dead elements in nft_rhash_cmp(), therefore, it already does not show the element when getting a single element via netlink control plane. Fixes: 5f68718 ("netfilter: nf_tables: GC transaction API to avoid race with control plane") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 6b1ca88) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-430 cve-bf CVE-2023-4244 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit ab0beaf This has slipped through when reducing memory footprint for set elements, remove it. Fixes: 9dad402 ("netfilter: nf_tables: expose opaque set element as struct nft_elem_priv") Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit ab0beaf) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-44483 cve CVE-2024-42109 commit-author Florian Westphal <fw@strlen.de> commit 9f6958b syzbot reports: KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831 KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530 KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45 [..] Workqueue: events nf_tables_trans_destroy_work Call Trace: nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline] nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline] nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597 Problem is that the notifier does a conditional flush, but its possible that the table-to-be-removed is still referenced by transactions being processed by the worker, so we need to flush unconditionally. We could make the flush_work depend on whether we found a table to delete in nf-next to avoid the flush for most cases. AFAICS this problem is only exposed in nf-next, with commit e169285 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"), with this commit applied there is an unconditional fetch of table->family which is whats triggering the above splat. Fixes: 2c9f029 ("netfilter: nf_tables: flush pending destroy work before netlink notifier") Reported-and-tested-by: syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=4fd66a69358fc15ae2ad Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 9f6958b) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-5127 cve CVE-2024-35899 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 24cea96 Similar to 2c9f029 ("netfilter: nf_tables: flush pending destroy work before netlink notifier") to address a race between exit_net and the destroy workqueue. The trace below shows an element to be released via destroy workqueue while exit_net path (triggered via module removal) has already released the set that is used in such transaction. [ 1360.547789] BUG: KASAN: slab-use-after-free in nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.547861] Read of size 8 at addr ffff888140500cc0 by task kworker/4:1/152465 [ 1360.547870] CPU: 4 PID: 152465 Comm: kworker/4:1 Not tainted 6.8.0+ ctrliq#359 [ 1360.547882] Workqueue: events nf_tables_trans_destroy_work [nf_tables] [ 1360.547984] Call Trace: [ 1360.547991] <TASK> [ 1360.547998] dump_stack_lvl+0x53/0x70 [ 1360.548014] print_report+0xc4/0x610 [ 1360.548026] ? __virt_addr_valid+0xba/0x160 [ 1360.548040] ? __pfx__raw_spin_lock_irqsave+0x10/0x10 [ 1360.548054] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548176] kasan_report+0xae/0xe0 [ 1360.548189] ? nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548312] nf_tables_trans_destroy_work+0x3f5/0x590 [nf_tables] [ 1360.548447] ? __pfx_nf_tables_trans_destroy_work+0x10/0x10 [nf_tables] [ 1360.548577] ? _raw_spin_unlock_irq+0x18/0x30 [ 1360.548591] process_one_work+0x2f1/0x670 [ 1360.548610] worker_thread+0x4d3/0x760 [ 1360.548627] ? __pfx_worker_thread+0x10/0x10 [ 1360.548640] kthread+0x16b/0x1b0 [ 1360.548653] ? __pfx_kthread+0x10/0x10 [ 1360.548665] ret_from_fork+0x2f/0x50 [ 1360.548679] ? __pfx_kthread+0x10/0x10 [ 1360.548690] ret_from_fork_asm+0x1a/0x30 [ 1360.548707] </TASK> [ 1360.548719] Allocated by task 192061: [ 1360.548726] kasan_save_stack+0x20/0x40 [ 1360.548739] kasan_save_track+0x14/0x30 [ 1360.548750] __kasan_kmalloc+0x8f/0xa0 [ 1360.548760] __kmalloc_node+0x1f1/0x450 [ 1360.548771] nf_tables_newset+0x10c7/0x1b50 [nf_tables] [ 1360.548883] nfnetlink_rcv_batch+0xbc4/0xdc0 [nfnetlink] [ 1360.548909] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.548927] netlink_unicast+0x367/0x4f0 [ 1360.548935] netlink_sendmsg+0x34b/0x610 [ 1360.548944] ____sys_sendmsg+0x4d4/0x510 [ 1360.548953] ___sys_sendmsg+0xc9/0x120 [ 1360.548961] __sys_sendmsg+0xbe/0x140 [ 1360.548971] do_syscall_64+0x55/0x120 [ 1360.548982] entry_SYSCALL_64_after_hwframe+0x55/0x5d [ 1360.548994] Freed by task 192222: [ 1360.548999] kasan_save_stack+0x20/0x40 [ 1360.549009] kasan_save_track+0x14/0x30 [ 1360.549019] kasan_save_free_info+0x3b/0x60 [ 1360.549028] poison_slab_object+0x100/0x180 [ 1360.549036] __kasan_slab_free+0x14/0x30 [ 1360.549042] kfree+0xb6/0x260 [ 1360.549049] __nft_release_table+0x473/0x6a0 [nf_tables] [ 1360.549131] nf_tables_exit_net+0x170/0x240 [nf_tables] [ 1360.549221] ops_exit_list+0x50/0xa0 [ 1360.549229] free_exit_list+0x101/0x140 [ 1360.549236] unregister_pernet_operations+0x107/0x160 [ 1360.549245] unregister_pernet_subsys+0x1c/0x30 [ 1360.549254] nf_tables_module_exit+0x43/0x80 [nf_tables] [ 1360.549345] __do_sys_delete_module+0x253/0x370 [ 1360.549352] do_syscall_64+0x55/0x120 [ 1360.549360] entry_SYSCALL_64_after_hwframe+0x55/0x5d (gdb) list *__nft_release_table+0x473 0x1e033 is in __nft_release_table (net/netfilter/nf_tables_api.c:11354). 11349 list_for_each_entry_safe(flowtable, nf, &table->flowtables, list) { 11350 list_del(&flowtable->list); 11351 nft_use_dec(&table->use); 11352 nf_tables_flowtable_destroy(flowtable); 11353 } 11354 list_for_each_entry_safe(set, ns, &table->sets, list) { 11355 list_del(&set->list); 11356 nft_use_dec(&table->use); 11357 if (set->flags & (NFT_SET_MAP | NFT_SET_OBJECT)) 11358 nft_map_deactivate(&ctx, set); (gdb) [ 1360.549372] Last potentially related work creation: [ 1360.549376] kasan_save_stack+0x20/0x40 [ 1360.549384] __kasan_record_aux_stack+0x9b/0xb0 [ 1360.549392] __queue_work+0x3fb/0x780 [ 1360.549399] queue_work_on+0x4f/0x60 [ 1360.549407] nft_rhash_remove+0x33b/0x340 [nf_tables] [ 1360.549516] nf_tables_commit+0x1c6a/0x2620 [nf_tables] [ 1360.549625] nfnetlink_rcv_batch+0x728/0xdc0 [nfnetlink] [ 1360.549647] nfnetlink_rcv+0x1a8/0x1e0 [nfnetlink] [ 1360.549671] netlink_unicast+0x367/0x4f0 [ 1360.549680] netlink_sendmsg+0x34b/0x610 [ 1360.549690] ____sys_sendmsg+0x4d4/0x510 [ 1360.549697] ___sys_sendmsg+0xc9/0x120 [ 1360.549706] __sys_sendmsg+0xbe/0x140 [ 1360.549715] do_syscall_64+0x55/0x120 [ 1360.549725] entry_SYSCALL_64_after_hwframe+0x55/0x5d Fixes: 0935d55 ("netfilter: nf_tables: asynchronous release") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 24cea96) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-44483 cve-bf CVE-2024-42109 commit-author Florian Westphal <fw@strlen.de> commit fb82865 upstream-diff Context conflicts only The call to flush_work before tearing down a table from the netlink notifier was supposed to make sure that all earlier updates (e.g. rule add) that might reference that table have been processed. Unfortunately, flush_work() waits for the last queued instance. This could be an instance that is different from the one that we must wait for. This is because transactions are protected with a pernet mutex, but the work item is global, so holding the transaction mutex doesn't prevent another netns from queueing more work. Make the work item pernet so that flush_work() will wait for all transactions queued from this netns. A welcome side effect is that we no longer need to wait for transaction objects from foreign netns. The gc work queue is still global. This seems to be ok because nft_set structures are reference counted and each container structure owns a reference on the net namespace. The destroy_list is still protected by a global spinlock rather than pernet one but the hold time is very short anyway. v2: call cancel_work_sync before reaping the remaining tables (Pablo). Fixes: 9f6958b ("netfilter: nf_tables: unconditionally flush pending work before notifier") Reported-by: syzbot+5d8c5789c8cb076b2c25@syzkaller.appspotmail.com Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit fb82865) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-158865 cve-bf CVE-2023-52923 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 7ffc748 rhashtable does not provide stable walk, duplicated elements are possible in case of resizing. I considered that checking for errors when calling rhashtable_walk_next() was sufficient to detect the resizing. However, rhashtable_walk_next() returns -EAGAIN only at the end of the iteration, which is too late, because a gc work containing duplicated elements could have been already scheduled for removal to the worker. Add a u32 gc worker sequence number per set, bump it on every workqueue run. Annotate gc worker sequence number on the expired element. Use it to skip those already seen in this gc workqueue run. Note that this new field is never reset in case gc transaction fails, so next gc worker run on the expired element overrides it. Wraparound of gc worker sequence number should not be an issue with stale gc worker sequence number in the element, that would just postpone the element removal in one gc run. Note that it is not possible to use flags to annotate that element is pending gc run to detect duplicates, given that gc transaction can be invalidated in case of update from the control plane, therefore, not allowing to clear such flag. On x86_64, pahole reports no changes in the size of nft_rhash_elem. Fixes: f6c383b ("netfilter: nf_tables: adapt set backend to use GC transaction API") Reported-by: Laurent Fasnacht <laurent.fasnacht@proton.ch> Tested-by: Laurent Fasnacht <laurent.fasnacht@proton.ch> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 7ffc748) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-14
branch
from
0e59c88 to
70905db
Compare
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20828438444 |
🔍 Upstream Linux Kernel Commit Check
This is an automated message from the kernel commit checker workflow. |
🔍 Interdiff Analysis
diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -144,4 +144,4 @@
- return *(__force __be32 *)sreg;
+ return *(u16 *)sreg;
}
static inline void nft_reg_store64(u64 *dreg, u64 val)
diff -u b/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
--- b/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -42,13 +43,13 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
u64 src64;
switch (priv->op) {
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = nft_reg_load64(&src[i]);
- nft_reg_store64(&dst[i], be64_to_cpu(src64));
+ nft_reg_store64(&dst64[i], be64_to_cpu(src64));
}
break;
case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 8; i++) {
src64 = (__force __u64)
cpu_to_be64(nft_reg_load64(&src[i]));
@@ -45,7 +46,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = nft_reg_load64(&src[i]);
- nft_reg_store64(&dst[i],
+ nft_reg_store64(&dst64[i],
be64_to_cpu((__force __be64)src64));
}
break;
@@ -45,14 +45,14 @@
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = nft_reg_load64(&src[i]);
- nft_reg_store64(&dst[i],
- be64_to_cpu((__force __be64)src64));
+ nft_reg_store64(&dst[i], be64_to_cpu(src64));
}
break;
+ case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 8; i++) {
src64 = (__force __u64)
cpu_to_be64(nft_reg_load64(&src[i]));
- nft_reg_store64(&dst[i], src64);
+ nft_reg_store64(&dst64[i], src64);
}
break;
}
@@ -52,7 +53,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
for (i = 0; i < priv->len / 8; i++) {
src64 = (__force __u64)
cpu_to_be64(nft_reg_load64(&src[i]));
- nft_reg_store64(&dst[i], src64);
+ nft_reg_store64(&dst64[i], src64);
}
break;
}
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5376,4 +5376,4 @@
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_set_dump_args *args;
if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1665,9 +1665,9 @@
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
- struct list_head commit_set_list;
struct list_head binding_list;
struct list_head module_list;
+ struct list_head notify_list;
unsigned int base_seq;
unsigned int gc_seq;
u8 validate_state;
@@ -1668,6 +1668,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
+ struct list_head destroy_list;
struct list_head binding_list;
struct list_head module_list;
struct list_head notify_list;
@@ -1905,6 +1905,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
+ struct list_head destroy_list;
struct list_head commit_set_list;
struct list_head binding_list;
struct list_head module_list;
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -118,4 +118,4 @@
- table->validate_state = new_validate_state;
+ nft_net->validate_state = new_validate_state;
}
static void nf_tables_trans_destroy_work(struct work_struct *w);
@@ -10716,6 +10717,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
INIT_LIST_HEAD(&nft_net->tables);
INIT_LIST_HEAD(&nft_net->commit_list);
+ INIT_LIST_HEAD(&nft_net->destroy_list);
INIT_LIST_HEAD(&nft_net->binding_list);
INIT_LIST_HEAD(&nft_net->module_list);
INIT_LIST_HEAD(&nft_net->notify_list);
@@ -10849,13 +10849,0 @@
-
- INIT_LIST_HEAD(&nft_net->tables);
- INIT_LIST_HEAD(&nft_net->commit_list);
- INIT_LIST_HEAD(&nft_net->commit_set_list);
- INIT_LIST_HEAD(&nft_net->binding_list);
- INIT_LIST_HEAD(&nft_net->module_list);
- nft_net->base_seq = 1;
- nft_net->gc_seq = 0;
- nft_net->validate_state = NFT_VALIDATE_SKIP;
- INIT_WORK(&nft_net->destroy_work, nf_tables_trans_destroy_work);
-
- return 0;
-}
@@ -11896,6 +11897,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
INIT_LIST_HEAD(&nft_net->tables);
INIT_LIST_HEAD(&nft_net->commit_list);
+ INIT_LIST_HEAD(&nft_net->destroy_list);
INIT_LIST_HEAD(&nft_net->commit_set_list);
INIT_LIST_HEAD(&nft_net->binding_list);
INIT_LIST_HEAD(&nft_net->module_list);This is an automated interdiff check for backported commits. |
JIRA PR Check Results10 commit(s) with issues found: Commit
|
|
❌ Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20828438444 |
Collaborator
This is not valid as these are prior CVE to the kernel CVE vuln database |
PlaidCat
requested changes
Jan 8, 2026
Collaborator
PlaidCat
left a comment
PlaidCat
left a comment
There was a problem hiding this comment.
There are some updates needed I'll post them all in a single commit.
Collaborator
This needs to be
This is fine the JIRA checker doesn't handle |
jira VULN-173657 cve CVE-2024-54031 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 542ed81 Access to genmask field in struct nft_set_ext results in unaligned atomic read: [ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c [ 72.131036] Mem abort info: [ 72.131213] ESR = 0x0000000096000021 [ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits [ 72.132209] SET = 0, FnV = 0 [ 72.133216] EA = 0, S1PTW = 0 [ 72.134080] FSC = 0x21: alignment fault [ 72.135593] Data abort info: [ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000 [ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000 [ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403, +pte=0068000102bb7707 [ 72.163021] Internal error: Oops: 0000000096000021 [ctrliq#1] SMP [...] [ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ ctrliq#2 [ 72.170509] Tainted: [E]=UNSIGNED_MODULE [ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023 [ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables] [ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables] [ 72.172546] sp : ffff800081f2bce0 [ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038 [ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78 [ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78 [ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000 [ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978 [ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0 [ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000 [ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000 [ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000 [ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004 [ 72.176207] Call trace: [ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P) [ 72.176653] process_one_work+0x178/0x3d0 [ 72.176831] worker_thread+0x200/0x3f0 [ 72.176995] kthread+0xe8/0xf8 [ 72.177130] ret_from_fork+0x10/0x20 [ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f) [ 72.177557] ---[ end trace 0000000000000000 ]--- Align struct nft_set_ext to word size to address this and documentation it. pahole reports that this increases the size of elements for rhash and pipapo in 8 bytes on x86_64. Fixes: 7ffc748 ("netfilter: nft_set_hash: skip duplicated elements pending gc run") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 542ed81) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
pvts-mat
force-pushed
the
ciqlts9_2-CVE-batch-14
branch
from
70905db to
169596a
Compare
|
🤖 Validation Checks In Progress Workflow run: https://github.com/ctrliq/kernel-src-tree/actions/runs/20832390311 |
🔍 Upstream Linux Kernel Commit Check
This is an automated message from the kernel commit checker workflow. |
🔍 Interdiff Analysis
diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -144,4 +144,4 @@
- return *(__force __be32 *)sreg;
+ return *(u16 *)sreg;
}
static inline void nft_reg_store64(u64 *dreg, u64 val)
diff -u b/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
--- b/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -42,13 +43,13 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
u64 src64;
switch (priv->op) {
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = nft_reg_load64(&src[i]);
- nft_reg_store64(&dst[i], be64_to_cpu(src64));
+ nft_reg_store64(&dst64[i], be64_to_cpu(src64));
}
break;
case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 8; i++) {
src64 = (__force __u64)
cpu_to_be64(nft_reg_load64(&src[i]));
@@ -45,7 +46,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = nft_reg_load64(&src[i]);
- nft_reg_store64(&dst[i],
+ nft_reg_store64(&dst64[i],
be64_to_cpu((__force __be64)src64));
}
break;
@@ -45,14 +45,14 @@
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = nft_reg_load64(&src[i]);
- nft_reg_store64(&dst[i],
- be64_to_cpu((__force __be64)src64));
+ nft_reg_store64(&dst[i], be64_to_cpu(src64));
}
break;
+ case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 8; i++) {
src64 = (__force __u64)
cpu_to_be64(nft_reg_load64(&src[i]));
- nft_reg_store64(&dst[i], src64);
+ nft_reg_store64(&dst64[i], src64);
}
break;
}
@@ -52,7 +53,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
for (i = 0; i < priv->len / 8; i++) {
src64 = (__force __u64)
cpu_to_be64(nft_reg_load64(&src[i]));
- nft_reg_store64(&dst[i], src64);
+ nft_reg_store64(&dst64[i], src64);
}
break;
}
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5376,4 +5376,4 @@
- const struct nft_set_ext *ext = nft_set_elem_ext(set, elem_priv);
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_set_dump_args *args;
if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
diff -u b/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
--- b/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1665,9 +1665,9 @@
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
- struct list_head commit_set_list;
struct list_head binding_list;
struct list_head module_list;
+ struct list_head notify_list;
unsigned int base_seq;
unsigned int gc_seq;
u8 validate_state;
@@ -1668,6 +1668,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
+ struct list_head destroy_list;
struct list_head binding_list;
struct list_head module_list;
struct list_head notify_list;
@@ -1905,6 +1905,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
+ struct list_head destroy_list;
struct list_head commit_set_list;
struct list_head binding_list;
struct list_head module_list;
diff -u b/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
--- b/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -118,4 +118,4 @@
- table->validate_state = new_validate_state;
+ nft_net->validate_state = new_validate_state;
}
static void nf_tables_trans_destroy_work(struct work_struct *w);
@@ -10716,6 +10717,7 @@ INTERDIFF: rejected hunk from patch1, cannot diff context
INIT_LIST_HEAD(&nft_net->tables);
INIT_LIST_HEAD(&nft_net->commit_list);
+ INIT_LIST_HEAD(&nft_net->destroy_list);
INIT_LIST_HEAD(&nft_net->binding_list);
INIT_LIST_HEAD(&nft_net->module_list);
INIT_LIST_HEAD(&nft_net->notify_list);
@@ -10849,13 +10849,0 @@
-
- INIT_LIST_HEAD(&nft_net->tables);
- INIT_LIST_HEAD(&nft_net->commit_list);
- INIT_LIST_HEAD(&nft_net->commit_set_list);
- INIT_LIST_HEAD(&nft_net->binding_list);
- INIT_LIST_HEAD(&nft_net->module_list);
- nft_net->base_seq = 1;
- nft_net->gc_seq = 0;
- nft_net->validate_state = NFT_VALIDATE_SKIP;
- INIT_WORK(&nft_net->destroy_work, nf_tables_trans_destroy_work);
-
- return 0;
-}
@@ -11896,6 +11897,7 @@ INTERDIFF: rejected hunk from patch2, cannot diff context
INIT_LIST_HEAD(&nft_net->tables);
INIT_LIST_HEAD(&nft_net->commit_list);
+ INIT_LIST_HEAD(&nft_net->destroy_list);
INIT_LIST_HEAD(&nft_net->commit_set_list);
INIT_LIST_HEAD(&nft_net->binding_list);
INIT_LIST_HEAD(&nft_net->module_list);This is an automated interdiff check for backported commits. |
JIRA PR Check Results9 commit(s) with issues found: Commit
|
|
❌ Validation checks completed with issues View full results: https://github.com/ctrliq/kernel-src-tree/actions/runs/20832390311 |
Collaborator
This can be ignored. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CVE-2024-0607 VULN-42268
CVE-2024-0193 VULN-6825
CVE-2024-42109 VULN-44483
CVE-2024-54031 VULN-5468
CVE-2024-35899 VULN-5127
About
This PR aims to supplement the netfilter patch set #668 regarding the omitted bugfixes.
Unlike in the previous PR the CentOS 9 branches were not backported in full, instead just single commits were picked addressing specific issues. This approach was chosen because the main branches of concern - f875124, 3e3b830 - were loosely coupled and none of the picks required prerequisites.
Previous netfilter PR bugfixes
The following list follows the table from comment #668 (comment) thus indirectly addressing all
[FIXES]warnings indicated in #668 (comment).8daa8fd
netfilter: nf_tables: Introduce NFT_MSG_GETRULE_RESETThis commit was eventually omitted in the second revision of the PR, so the fix doesn't apply.
f80a612
netfilter: nf_tables: add support to destroy operationThis commit was eventually omitted in the second revision of the PR, so the fix doesn't apply.
079cd63
netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESETThis commit was eventually omitted in the second revision of the PR, so the fixes don't apply.
212ed75
netfilter: nf_tables: integrate pipapo into commit protocolThe fixing commit ebd032f was later reverted in the upstream with f86fb94. The fix may therefore be considered void.
2b84e21
netfilter: nft_set_pipapo: .walk does not deal with generationsThis fix will be covered in a separate PR along with the CVE-2024-27012 fix. See below.
628bd3e
netfilter: nf_tables: drop map element references from preparation phaseThe fix requires extensive adaptations to
ciqlts9_2which could not have been avoided with a reasonable number of prerequisites. It was decided to leave it for a separate PR.5f68718
netfilter: nf_tables: GC transaction API to avoid race with control planeAll fixes were included in the PR.
f6c383b
netfilter: nf_tables: adapt set backend to use GC transaction APIAll fixes were included in the PR.
The bugfix of
netfilter: nft_set_hash: skip duplicated elements pending gc run, with a separate CVE:2c9f029
netfilter: nf_tables: flush pending destroy work before netlink notifierThe fix was included in the PR.
9dad402
netfilter: nf_tables: expose opaque set element as struct nft_elem_privThe fix was included in the PR.
Additional fixes
CVE-2024-0607
Additional fix was included, which doesn't address any specific commit from the netfilter PR, but has CVE-2024-0607 assigned and is part of the CentOS 9 branch f875124 being (partially) backported here with the fixes 7315dc1, 08e4c8c and ffb40fb.
CVE-2024-35899
As requested by @kerneltoast in #794 (review) the backport of 24cea96 was added in order to make sure the
nf_tables_trans_destroy_flush_work()call removed by the backported fb82865 won't be added in the future by a mistake. This commit is associated with its own CVE-2024-35899kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed
Reference
kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log
Patch
kselftests–ciqlts9_2-CVE-batch-14–run1.log
kselftests–ciqlts9_2-CVE-batch-14–run2.log
kselftests–ciqlts9_2-CVE-batch-14–run3.log
kselftests–ciqlts9_2-CVE-batch-14–run4.log
kselftests–ciqlts9_2-CVE-batch-14–run5.log
Comparison
The tests results for the reference and the patch are the same.