diff --git a/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch b/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch new file mode 100644 index 0000000..96e3f20 --- /dev/null +++ b/SOURCES/0025-owner-Fix-potential-array-out-of-bounds-access.patch @@ -0,0 +1,44 @@ +From d6087e02d9f25bba362db0af16355ee3be4e450a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:40 +0100 +Subject: [PATCH] owner: Fix potential array out of bounds access + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit 9967911e3dabb + +commit 9967911e3dabb32901617e81e56602af3b37287f +Author: Pablo Neira Ayuso +Date: Wed Dec 21 17:37:46 2022 +0100 + + owner: Fix potential array out of bounds access + + If the link target length exceeds 'sizeof(tmp)' bytes, readlink() will + return 'sizeof(tmp)'. Using this value as index is illegal. + + Original update from Phil, for the conntrack-tools tree, which also has + a copy of this function. + + Fixes: 6d085b22a8b5 ("table: support for the table owner flag") + Signed-off-by: Pablo Neira Ayuso + +Signed-off-by: Phil Sutter +--- + src/owner.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/owner.c b/src/owner.c +index 2d98a2e..20bed38 100644 +--- a/src/owner.c ++++ b/src/owner.c +@@ -66,7 +66,7 @@ static char *portid2name(pid_t pid, uint32_t portid, unsigned long inode) + continue; + + rl = readlink(procname, tmp, sizeof(tmp)); +- if (rl <= 0 || rl > (ssize_t)sizeof(tmp)) ++ if (rl <= 0 || rl >= (ssize_t)sizeof(tmp)) + continue; + + tmp[rl] = 0; +-- +2.39.2 + diff --git a/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch b/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch new file mode 100644 index 0000000..a9d584c --- /dev/null +++ b/SOURCES/0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch @@ -0,0 +1,57 @@ +From 92f540141ca5aa1cc5070ea383c2eabf3206b86e Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:41 +0100 +Subject: [PATCH] mnl: dump_nf_hooks() leaks memory in error path + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit ef66f321e49b3 + +commit ef66f321e49b337c7e678bb90d6acb94f331dfc4 +Author: Phil Sutter +Date: Wed Jan 11 12:28:15 2023 +0100 + + mnl: dump_nf_hooks() leaks memory in error path + + Have to free the basehook object before returning to caller. + + Fixes: 4694f7230195b ("src: add support for base hook dumping") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/mnl.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/mnl.c b/src/mnl.c +index 7dd77be..269d3f1 100644 +--- a/src/mnl.c ++++ b/src/mnl.c +@@ -2211,16 +2211,23 @@ static int dump_nf_hooks(const struct nlmsghdr *nlh, void *_data) + struct nlattr *nested[NFNLA_HOOK_INFO_MAX + 1] = {}; + uint32_t type; + +- if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], dump_nf_chain_info_cb, nested) < 0) ++ if (mnl_attr_parse_nested(tb[NFNLA_HOOK_CHAIN_INFO], ++ dump_nf_chain_info_cb, nested) < 0) { ++ basehook_free(hook); + return -1; ++ } + + type = ntohl(mnl_attr_get_u32(nested[NFNLA_HOOK_INFO_TYPE])); + if (type == NFNL_HOOK_TYPE_NFTABLES) { + struct nlattr *info[NFNLA_CHAIN_MAX + 1] = {}; + const char *tablename, *chainname; + +- if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], dump_nf_attr_chain_cb, info) < 0) ++ if (mnl_attr_parse_nested(nested[NFNLA_HOOK_INFO_DESC], ++ dump_nf_attr_chain_cb, ++ info) < 0) { ++ basehook_free(hook); + return -1; ++ } + + tablename = mnl_attr_get_str(info[NFNLA_CHAIN_TABLE]); + chainname = mnl_attr_get_str(info[NFNLA_CHAIN_NAME]); +-- +2.39.2 + diff --git a/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch b/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch new file mode 100644 index 0000000..48988a8 --- /dev/null +++ b/SOURCES/0027-meta-parse_iso_date-returns-boolean.patch @@ -0,0 +1,41 @@ +From dc8cd3f9cc5ad2eddba03bad86ce975d28513534 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:41 +0100 +Subject: [PATCH] meta: parse_iso_date() returns boolean + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit db6e97bd667bf + +commit db6e97bd667bf205cee22049f9d0fd6550cb43a7 +Author: Phil Sutter +Date: Wed Jan 11 11:26:41 2023 +0100 + + meta: parse_iso_date() returns boolean + + Returning ts if 'ts == (time_t) -1' signals success to caller despite + failure. + + Fixes: 4460b839b945a ("meta: fix compiler warning in date_type_parse()") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/meta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/meta.c b/src/meta.c +index 80ace25..73bd1c4 100644 +--- a/src/meta.c ++++ b/src/meta.c +@@ -433,7 +433,7 @@ success: + cur_tm = localtime(&ts); + + if (ts == (time_t) -1 || cur_tm == NULL) +- return ts; ++ return false; + + /* Substract tm_gmtoff to get the current time */ + *tstamp = ts - cur_tm->tm_gmtoff; +-- +2.39.2 + diff --git a/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch b/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch new file mode 100644 index 0000000..14c785b --- /dev/null +++ b/SOURCES/0028-netlink-Fix-for-potential-NULL-pointer-deref.patch @@ -0,0 +1,44 @@ +From 8bb864ad6586da7767cf4b90b75e62cd7324859d Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:41 +0100 +Subject: [PATCH] netlink: Fix for potential NULL-pointer deref + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit 927d5674e7bf6 + +commit 927d5674e7bf656428f97c54c9171006e8c3c75e +Author: Phil Sutter +Date: Tue Jan 10 22:36:58 2023 +0100 + + netlink: Fix for potential NULL-pointer deref + + If memory allocation fails, calloc() returns NULL which was not checked + for. The code seems to expect zero array size though, so simply + replacing this call by one of the x*calloc() ones won't work. So guard + the call also by a check for 'len'. + + Fixes: db0697ce7f602 ("src: support for flowtable listing") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/netlink.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/netlink.c b/src/netlink.c +index 799cf9b..dee1732 100644 +--- a/src/netlink.c ++++ b/src/netlink.c +@@ -1700,7 +1700,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, + while (dev_array[len]) + len++; + +- flowtable->dev_array = calloc(1, len * sizeof(char *)); ++ if (len) ++ flowtable->dev_array = xmalloc(len * sizeof(char *)); + for (i = 0; i < len; i++) + flowtable->dev_array[i] = xstrdup(dev_array[i]); + +-- +2.39.2 + diff --git a/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch b/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch new file mode 100644 index 0000000..c75a4ae --- /dev/null +++ b/SOURCES/0029-optimize-Do-not-return-garbage-from-stack.patch @@ -0,0 +1,42 @@ +From 9b3e5589c5e1b6ced176ce33f59774a3b1d28c36 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:41 +0100 +Subject: [PATCH] optimize: Do not return garbage from stack + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit d4d47e5bdf943 + +commit d4d47e5bdf943be494aeb5d5a29b8f5212acbddf +Author: Phil Sutter +Date: Fri Jan 13 17:09:53 2023 +0100 + + optimize: Do not return garbage from stack + + If input does not contain a single 'add' command (unusual, but + possible), 'ret' value was not initialized by nft_optimize() before + returning its value. + + Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/optimize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/optimize.c b/src/optimize.c +index 3a3049d..6514cbb 100644 +--- a/src/optimize.c ++++ b/src/optimize.c +@@ -1017,7 +1017,7 @@ static int cmd_optimize(struct nft_ctx *nft, struct cmd *cmd) + int nft_optimize(struct nft_ctx *nft, struct list_head *cmds) + { + struct cmd *cmd; +- int ret; ++ int ret = 0; + + list_for_each_entry(cmd, cmds, list) { + switch (cmd->op) { +-- +2.39.2 + diff --git a/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch b/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch new file mode 100644 index 0000000..93a6506 --- /dev/null +++ b/SOURCES/0030-optimize-Clarify-chain_optimize-array-allocations.patch @@ -0,0 +1,51 @@ +From 9a41628f4206efe645f5a058a7d71a4503b5869a Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:41 +0100 +Subject: [PATCH] optimize: Clarify chain_optimize() array allocations + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit b83a0416cdc88 + +commit b83a0416cdc881c6ac35739cd858e4fe5fb2e04f +Author: Phil Sutter +Date: Tue Jan 10 22:13:44 2023 +0100 + + optimize: Clarify chain_optimize() array allocations + + Arguments passed to sizeof() where deemed suspicious by covscan due to + the different type. Consistently specify size of an array 'a' using + 'sizeof(*a) * nmemb'. + + For the statement arrays in stmt_matrix, even use xzalloc_array() since + the item count is fixed and therefore can't be zero. + + Fixes: fb298877ece27 ("src: add ruleset optimization infrastructure") + Signed-off-by: Phil Sutter + +Signed-off-by: Phil Sutter +--- + src/optimize.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/src/optimize.c b/src/optimize.c +index 6514cbb..baa6abc 100644 +--- a/src/optimize.c ++++ b/src/optimize.c +@@ -918,10 +918,11 @@ static int chain_optimize(struct nft_ctx *nft, struct list_head *rules) + ctx->num_rules++; + } + +- ctx->rule = xzalloc(sizeof(ctx->rule) * ctx->num_rules); +- ctx->stmt_matrix = xzalloc(sizeof(struct stmt *) * ctx->num_rules); ++ ctx->rule = xzalloc(sizeof(*ctx->rule) * ctx->num_rules); ++ ctx->stmt_matrix = xzalloc(sizeof(*ctx->stmt_matrix) * ctx->num_rules); + for (i = 0; i < ctx->num_rules; i++) +- ctx->stmt_matrix[i] = xzalloc(sizeof(struct stmt *) * MAX_STMTS); ++ ctx->stmt_matrix[i] = xzalloc_array(MAX_STMTS, ++ sizeof(**ctx->stmt_matrix)); + + merge = xzalloc(sizeof(*merge) * ctx->num_rules); + +-- +2.39.2 + diff --git a/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch b/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch new file mode 100644 index 0000000..3b2648b --- /dev/null +++ b/SOURCES/0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch @@ -0,0 +1,42 @@ +From 05407602f79391e89e57ef5c4a1a0aea720855e2 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Tue, 21 Feb 2023 19:50:41 +0100 +Subject: [PATCH] netlink_delinearize: Sanitize concat data element decoding + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2160049 +Upstream Status: nftables commit 1344d9e53ba4d + +commit 1344d9e53ba4d67cedd13a2c76a970fc7ce65683 +Author: Phil Sutter +Date: Tue Feb 21 18:36:01 2023 +0100 + + netlink_delinearize: Sanitize concat data element decoding + + The call to netlink_get_register() might return NULL, catch this before + dereferencing the pointer. + + Fixes: db59a5c1204c9 ("netlink_delinearize: fix decoding of concat data element") + Signed-off-by: Phil Sutter + Acked-by: Florian Westphal + +Signed-off-by: Phil Sutter +--- + src/netlink_delinearize.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c +index e9e0845..cadb8ec 100644 +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -1660,7 +1660,7 @@ static void netlink_parse_dynset(struct netlink_parse_ctx *ctx, + sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA); + expr_data = netlink_get_register(ctx, loc, sreg_data); + +- if (expr_data->len < set->data->len) { ++ if (expr_data && expr_data->len < set->data->len) { + expr_free(expr_data); + expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len); + if (expr_data == NULL) +-- +2.39.2 + diff --git a/SPECS/nftables.spec b/SPECS/nftables.spec index 6230d11..e68faf3 100644 --- a/SPECS/nftables.spec +++ b/SPECS/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 1.0.4 -%define specrelease 9 +%define specrelease 10 Name: nftables Version: %{rpmversion} @@ -43,6 +43,13 @@ Patch21: 0021-monitor-Sanitize-startup-race-condition.patch Patch22: 0022-netlink_delinearize-fix-decoding-of-concat-data-elem.patch Patch23: 0023-netlink_linearize-fix-timeout-with-map-updates.patch Patch24: 0024-tests-add-a-test-case-for-map-update-from-packet-pat.patch +Patch25: 0025-owner-Fix-potential-array-out-of-bounds-access.patch +Patch26: 0026-mnl-dump_nf_hooks-leaks-memory-in-error-path.patch +Patch27: 0027-meta-parse_iso_date-returns-boolean.patch +Patch28: 0028-netlink-Fix-for-potential-NULL-pointer-deref.patch +Patch29: 0029-optimize-Do-not-return-garbage-from-stack.patch +Patch30: 0030-optimize-Clarify-chain_optimize-array-allocations.patch +Patch31: 0031-netlink_delinearize-Sanitize-concat-data-element-dec.patch BuildRequires: autoconf BuildRequires: automake @@ -154,6 +161,15 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ %{python3_sitelib}/nftables/ %changelog +* Tue Feb 21 2023 Phil Sutter [1.0.4-10.el9] +- netlink_delinearize: Sanitize concat data element decoding (Phil Sutter) [2160049] +- optimize: Clarify chain_optimize() array allocations (Phil Sutter) [2160049] +- optimize: Do not return garbage from stack (Phil Sutter) [2160049] +- netlink: Fix for potential NULL-pointer deref (Phil Sutter) [2160049] +- meta: parse_iso_date() returns boolean (Phil Sutter) [2160049] +- mnl: dump_nf_hooks() leaks memory in error path (Phil Sutter) [2160049] +- owner: Fix potential array out of bounds access (Phil Sutter) [2160049] + * Fri Feb 17 2023 Phil Sutter [1.0.4-9.el9] - tests: add a test case for map update from packet path with concat (Phil Sutter) [2094894] - netlink_linearize: fix timeout with map updates (Phil Sutter) [2094894]