From b15a952c52a6825376d3e7f6c1bf5c886c6d8b74 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sat, 27 Apr 2024 12:06:00 +0200 Subject: Adding debian version 5.10.209-2. Signed-off-by: Daniel Baumann --- ...f_tables-reject-QUEUE-DROP-verdict-parame.patch | 73 ++++++++++++++++++++++ 1 file changed, 73 insertions(+) create mode 100644 debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch (limited to 'debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch') diff --git a/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch b/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch new file mode 100644 index 000000000..a6e35b7f2 --- /dev/null +++ b/debian/patches/bugfix/all/netfilter-nf_tables-reject-QUEUE-DROP-verdict-parame.patch @@ -0,0 +1,73 @@ +From: Florian Westphal +Date: Sat, 20 Jan 2024 22:50:04 +0100 +Subject: netfilter: nf_tables: reject QUEUE/DROP verdict parameters +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/commit?id=11351dcb86e3eec82492e20a63bb36f5a340dc85 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2024-1086 + +commit f342de4e2f33e0e39165d8639387aa6c19dff660 upstream. + +This reverts commit e0abdadcc6e1. + +core.c:nf_hook_slow assumes that the upper 16 bits of NF_DROP +verdicts contain a valid errno, i.e. -EPERM, -EHOSTUNREACH or similar, +or 0. + +Due to the reverted commit, its possible to provide a positive +value, e.g. NF_ACCEPT (1), which results in use-after-free. + +Its not clear to me why this commit was made. + +NF_QUEUE is not used by nftables; "queue" rules in nftables +will result in use of "nft_queue" expression. + +If we later need to allow specifiying errno values from userspace +(do not know why), this has to call NF_DROP_GETERR and check that +"err <= 0" holds true. + +Fixes: e0abdadcc6e1 ("netfilter: nf_tables: accept QUEUE/DROP verdict parameters") +Cc: stable@vger.kernel.org +Reported-by: Notselwyn +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index 0d0b76a5ddfa..f586e8b3c6cf 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -9340,16 +9340,10 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE])); + + switch (data->verdict.code) { +- default: +- switch (data->verdict.code & NF_VERDICT_MASK) { +- case NF_ACCEPT: +- case NF_DROP: +- case NF_QUEUE: +- break; +- default: +- return -EINVAL; +- } +- fallthrough; ++ case NF_ACCEPT: ++ case NF_DROP: ++ case NF_QUEUE: ++ break; + case NFT_CONTINUE: + case NFT_BREAK: + case NFT_RETURN: +@@ -9384,6 +9378,8 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data, + + data->verdict.chain = chain; + break; ++ default: ++ return -EINVAL; + } + + desc->len = sizeof(data->verdict); +-- +2.43.0 + -- cgit v1.2.3