From ed0078086d694cf8f235b418dddad7424dfdd609 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 13 Jan 2024 10:13:21 +0100 Subject: [PATCH] 5.15-stable patches added patches: netfilter-nf_tables-reject-tables-of-unsupported-family.patch --- ...-reject-tables-of-unsupported-family.patch | 65 +++++++++++++++++++ queue-5.15/series | 1 + 2 files changed, 66 insertions(+) create mode 100644 queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch diff --git a/queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch b/queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch new file mode 100644 index 00000000000..61ec05a89b5 --- /dev/null +++ b/queue-5.15/netfilter-nf_tables-reject-tables-of-unsupported-family.patch @@ -0,0 +1,65 @@ +From f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 16 Feb 2022 15:55:38 +0100 +Subject: netfilter: nf_tables: Reject tables of unsupported family + +From: Phil Sutter + +commit f1082dd31fe461d482d69da2a8eccfeb7bf07ac2 upstream. + +An nftables family is merely a hollow container, its family just a +number and such not reliant on compile-time options other than nftables +support itself. Add an artificial check so attempts at using a family +the kernel can't support fail as early as possible. This helps user +space detect kernels which lack e.g. NFPROTO_INET. + +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -1247,6 +1247,30 @@ static int nft_objname_hash_cmp(struct r + return strcmp(obj->key.name, k->name); + } + ++static bool nft_supported_family(u8 family) ++{ ++ return false ++#ifdef CONFIG_NF_TABLES_INET ++ || family == NFPROTO_INET ++#endif ++#ifdef CONFIG_NF_TABLES_IPV4 ++ || family == NFPROTO_IPV4 ++#endif ++#ifdef CONFIG_NF_TABLES_ARP ++ || family == NFPROTO_ARP ++#endif ++#ifdef CONFIG_NF_TABLES_NETDEV ++ || family == NFPROTO_NETDEV ++#endif ++#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) ++ || family == NFPROTO_BRIDGE ++#endif ++#ifdef CONFIG_NF_TABLES_IPV6 ++ || family == NFPROTO_IPV6 ++#endif ++ ; ++} ++ + static int nf_tables_newtable(struct sk_buff *skb, const struct nfnl_info *info, + const struct nlattr * const nla[]) + { +@@ -1261,6 +1285,9 @@ static int nf_tables_newtable(struct sk_ + u32 flags = 0; + int err; + ++ if (!nft_supported_family(family)) ++ return -EOPNOTSUPP; ++ + lockdep_assert_held(&nft_net->commit_mutex); + attr = nla[NFTA_TABLE_NAME]; + table = nft_table_lookup(net, attr, family, genmask, diff --git a/queue-5.15/series b/queue-5.15/series index 0974b511249..86480d4fbe9 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -52,3 +52,4 @@ mmc-sdhci-sprd-fix-emmc-init-failure-after-hw-reset.patch net-tls-update-curr-on-splice-as-well.patch ipv6-remove-max_size-check-inline-with-ipv4.patch perf-inject-fix-gen_elf_text_offset-for-jit.patch +netfilter-nf_tables-reject-tables-of-unsupported-family.patch -- 2.47.3