From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 26 Jun 2023 15:14:34 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v4.14.320~6
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1341585d84178cb43140c01dc0f6413ba8c6a3c;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	netfilter-nf_tables-hold-mutex-on-netns-pre_exit-path.patch
	netfilter-nf_tables-validate-registers-coming-from-userspace.patch
	netfilter-nftables-statify-nft_parse_register.patch
---

diff --git a/queue-5.10/netfilter-nf_tables-hold-mutex-on-netns-pre_exit-path.patch b/queue-5.10/netfilter-nf_tables-hold-mutex-on-netns-pre_exit-path.patch
new file mode 100644
index 00000000000..3c1cba91697
--- /dev/null
+++ b/queue-5.10/netfilter-nf_tables-hold-mutex-on-netns-pre_exit-path.patch
@@ -0,0 +1,30 @@
+From 3923b1e4406680d57da7e873da77b1683035d83f Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 30 May 2022 18:24:05 +0200
+Subject: netfilter: nf_tables: hold mutex on netns pre_exit path
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 3923b1e4406680d57da7e873da77b1683035d83f upstream.
+
+clean_net() runs in workqueue while walking over the lists, grab mutex.
+
+Fixes: 767d1216bff8 ("netfilter: nftables: fix possible UAF over chains from packet path in netns")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8983,7 +8983,9 @@ static int __net_init nf_tables_init_net
+ 
+ static void __net_exit nf_tables_pre_exit_net(struct net *net)
+ {
++	mutex_lock(&net->nft.commit_mutex);
+ 	__nft_release_hooks(net);
++	mutex_unlock(&net->nft.commit_mutex);
+ }
+ 
+ static void __net_exit nf_tables_exit_net(struct net *net)
diff --git a/queue-5.10/netfilter-nf_tables-validate-registers-coming-from-userspace.patch b/queue-5.10/netfilter-nf_tables-validate-registers-coming-from-userspace.patch
new file mode 100644
index 00000000000..25914f752a0
--- /dev/null
+++ b/queue-5.10/netfilter-nf_tables-validate-registers-coming-from-userspace.patch
@@ -0,0 +1,80 @@
+From 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 17 Mar 2022 11:59:26 +0100
+Subject: netfilter: nf_tables: validate registers coming from userspace.
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 6e1acfa387b9ff82cfc7db8cc3b6959221a95851 upstream.
+
+Bail out in case userspace uses unsupported registers.
+
+Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |   31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8483,26 +8483,23 @@ int nft_parse_u32_check(const struct nla
+ }
+ EXPORT_SYMBOL_GPL(nft_parse_u32_check);
+ 
+-/**
+- *	nft_parse_register - parse a register value from a netlink attribute
+- *
+- *	@attr: netlink attribute
+- *
+- *	Parse and translate a register value from a netlink attribute.
+- *	Registers used to be 128 bit wide, these register numbers will be
+- *	mapped to the corresponding 32 bit register numbers.
+- */
+-static unsigned int nft_parse_register(const struct nlattr *attr)
++static int nft_parse_register(const struct nlattr *attr, u32 *preg)
+ {
+ 	unsigned int reg;
+ 
+ 	reg = ntohl(nla_get_be32(attr));
+ 	switch (reg) {
+ 	case NFT_REG_VERDICT...NFT_REG_4:
+-		return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
++		*preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
++		break;
++	case NFT_REG32_00...NFT_REG32_15:
++		*preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
++		break;
+ 	default:
+-		return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
++		return -ERANGE;
+ 	}
++
++	return 0;
+ }
+ 
+ /**
+@@ -8553,7 +8550,10 @@ int nft_parse_register_load(const struct
+ 	u32 reg;
+ 	int err;
+ 
+-	reg = nft_parse_register(attr);
++	err = nft_parse_register(attr, &reg);
++	if (err < 0)
++		return err;
++
+ 	err = nft_validate_register_load(reg, len);
+ 	if (err < 0)
+ 		return err;
+@@ -8622,7 +8622,10 @@ int nft_parse_register_store(const struc
+ 	int err;
+ 	u32 reg;
+ 
+-	reg = nft_parse_register(attr);
++	err = nft_parse_register(attr, &reg);
++	if (err < 0)
++		return err;
++
+ 	err = nft_validate_register_store(ctx, reg, data, type, len);
+ 	if (err < 0)
+ 		return err;
diff --git a/queue-5.10/netfilter-nftables-statify-nft_parse_register.patch b/queue-5.10/netfilter-nftables-statify-nft_parse_register.patch
new file mode 100644
index 00000000000..df20f72462b
--- /dev/null
+++ b/queue-5.10/netfilter-nftables-statify-nft_parse_register.patch
@@ -0,0 +1,47 @@
+From 08a01c11a5bb3de9b0a9c9b2685867e50eda9910 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 25 Jan 2021 23:19:17 +0100
+Subject: netfilter: nftables: statify nft_parse_register()
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 08a01c11a5bb3de9b0a9c9b2685867e50eda9910 upstream.
+
+This function is not used anymore by any extension, statify it.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h |    1 -
+ net/netfilter/nf_tables_api.c     |    3 +--
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -205,7 +205,6 @@ static inline enum nft_registers nft_typ
+ }
+ 
+ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);
+-unsigned int nft_parse_register(const struct nlattr *attr);
+ int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);
+ 
+ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -8492,7 +8492,7 @@ EXPORT_SYMBOL_GPL(nft_parse_u32_check);
+  *	Registers used to be 128 bit wide, these register numbers will be
+  *	mapped to the corresponding 32 bit register numbers.
+  */
+-unsigned int nft_parse_register(const struct nlattr *attr)
++static unsigned int nft_parse_register(const struct nlattr *attr)
+ {
+ 	unsigned int reg;
+ 
+@@ -8504,7 +8504,6 @@ unsigned int nft_parse_register(const st
+ 		return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
+ 	}
+ }
+-EXPORT_SYMBOL_GPL(nft_parse_register);
+ 
+ /**
+  *	nft_dump_register - dump a register value to a netlink attribute
diff --git a/queue-5.10/series b/queue-5.10/series
index cb2ab307734..ee0722b3fb9 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -75,3 +75,6 @@ drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch
 drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch
 x86-apic-fix-kernel-panic-when-booting-with-intremap.patch
 i2c-imx-lpi2c-fix-type-char-overflow-issue-when-calc.patch
+netfilter-nftables-statify-nft_parse_register.patch
+netfilter-nf_tables-validate-registers-coming-from-userspace.patch
+netfilter-nf_tables-hold-mutex-on-netns-pre_exit-path.patch