From patchwork Thu Nov 14 12:57:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 13875105 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 88F0A1FAC4A; Thu, 14 Nov 2024 13:05:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731589513; cv=none; b=qL18XHgtci4rcLOcfqvjhYayR/twbCbJRCBk0LfQt1P1odQzlXPu3mmT4QrGgJWx7ARdUVPnNbUyItuKeRGNh0hscokLL6OQUdy8eo9WLGh2UIrZOj2qTsPmvwMc/yQs5IyHRtBofT1VcQmYWhtJau/mwxpcJVRkdq1uKp1zO6o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731589513; c=relaxed/simple; bh=WBK+wBYscKRT42FriCCjmW+aJF/c7VxM45CwP46g7ls=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=A2+qSLYTa4su+QIeFpPVv/ypD5s0KsX28FLA5b/voE3pACVn3biik3A/xMJ6YFy7cEU+cb9l30cYCZ0u/ZeGVBO/+3WztKaYWi7w5sbd011LSVeeDmoGR4zt0svDhWRe+XIXSwE2sYp1ZoPvhxe/DI9VetCnvWuw+5bAB6YRN8o= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de Subject: [PATCH net 1/3] selftests: netfilter: Add missing gitignore file Date: Thu, 14 Nov 2024 13:57:21 +0100 Message-Id: <20241114125723.82229-2-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20241114125723.82229-1-pablo@netfilter.org> References: <20241114125723.82229-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Li Zhijian Compiled binary files should be added to .gitignore 'git status' complains: Untracked files: (use "git add ..." to include in what will be committed) net/netfilter/conntrack_reverse_clash Signed-off-by: Li Zhijian Signed-off-by: Pablo Neira Ayuso --- tools/testing/selftests/net/netfilter/.gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/tools/testing/selftests/net/netfilter/.gitignore b/tools/testing/selftests/net/netfilter/.gitignore index 0a64d6d0e29a..64c4f8d9aa6c 100644 --- a/tools/testing/selftests/net/netfilter/.gitignore +++ b/tools/testing/selftests/net/netfilter/.gitignore @@ -2,5 +2,6 @@ audit_logread connect_close conntrack_dump_flush +conntrack_reverse_clash sctp_collision nf_queue From patchwork Thu Nov 14 12:57:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 13875106 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id A75B61FAC5D; Thu, 14 Nov 2024 13:05:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731589513; cv=none; b=G/3O/ranOpu/VDoEikuNMqpbvTt4gB7fZL/Dw/61lsCUlwkJCV4VHp0ii6ncPxB6UlATNFckEljQxgLsfoWxHgD3oxXNMYNe0YPIXxoYwAjN+dn6+DCuZjnJ9WI/ssk7OQQfGM92VfY1QxJkr0gtLRJq92kBD+Whx0qNuPfBOTc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731589513; c=relaxed/simple; bh=QPUiEAZl3lzHLwvEjSCy0Y1PfyOgnhOXErZmHXPZ0zk=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=UtHgzjCKVD+7L39qKPaKFrKf3Ea6eIDPZtF26frr+u3I8o5IDiKHgNejBQV3kzJ7xfjGDEtUKzpTxBFACbAG73VXLe0f+skpoH1CMLPzfUT1mQa4kyuoO720IAtNiuIajitDPP3k41Ua/oThrnsEwZBhvWdoct3ay3OuWc4nITY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de Subject: [PATCH net 2/3] selftests: netfilter: Fix missing return values in conntrack_dump_flush Date: Thu, 14 Nov 2024 13:57:22 +0100 Message-Id: <20241114125723.82229-3-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20241114125723.82229-1-pablo@netfilter.org> References: <20241114125723.82229-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: guanjing Fix the bug of some functions were missing return values. Fixes: eff3c558bb7e ("netfilter: ctnetlink: support filtering by zone") Signed-off-by: Guan Jing Signed-off-by: Pablo Neira Ayuso --- .../testing/selftests/net/netfilter/conntrack_dump_flush.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c b/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c index 254ff03297f0..5f827e10717d 100644 --- a/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c +++ b/tools/testing/selftests/net/netfilter/conntrack_dump_flush.c @@ -43,6 +43,8 @@ static int build_cta_tuple_v4(struct nlmsghdr *nlh, int type, mnl_attr_nest_end(nlh, nest_proto); mnl_attr_nest_end(nlh, nest); + + return 0; } static int build_cta_tuple_v6(struct nlmsghdr *nlh, int type, @@ -71,6 +73,8 @@ static int build_cta_tuple_v6(struct nlmsghdr *nlh, int type, mnl_attr_nest_end(nlh, nest_proto); mnl_attr_nest_end(nlh, nest); + + return 0; } static int build_cta_proto(struct nlmsghdr *nlh) @@ -90,6 +94,8 @@ static int build_cta_proto(struct nlmsghdr *nlh) mnl_attr_nest_end(nlh, nest_proto); mnl_attr_nest_end(nlh, nest); + + return 0; } static int conntrack_data_insert(struct mnl_socket *sock, struct nlmsghdr *nlh, From patchwork Thu Nov 14 12:57:23 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 13875108 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.188.207]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 88F5F1FAC51; Thu, 14 Nov 2024 13:05:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.188.207 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731589514; cv=none; b=IIO8KhPH97CXEDC4EPxKo03ZU9NMNbMNPD7hnrpyQiwnYAiLZREoLEFjx4Zdr0qMlJFw8SMzP991ywBaBZyqWk4/4pUYWQcH/H8+WZkdGVKuIuU4CxiPGwTdKUUgUSLXT6PDcrTC4t4LR/6BGbH+JYkDa1F8/yxbIVZ7JwE50XY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1731589514; c=relaxed/simple; bh=Y6wopE0ov8SSG4Zzo1TJXLDsACiB1Z4n9kSwNR6kVq4=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=L6TEri6mIUKNYXYuR4AzJlLq+m2uq7P+6D1EzEXB1/7dik/zTFpAQG0lIwI3qLnH1ZcYYK80k+jbtEJkt5pCMkJS2d0OfrG7PqKGZlLZMYRptqkoCt6Wb4eeDDqGLZv+lOe0cUPpkU8zLKlD27xQ/sziubBCYM3V5d6EBRqqHLg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; arc=none smtp.client-ip=217.70.188.207 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de Subject: [PATCH net 3/3] netfilter: ipset: add missing range check in bitmap_ip_uadt Date: Thu, 14 Nov 2024 13:57:23 +0100 Message-Id: <20241114125723.82229-4-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20241114125723.82229-1-pablo@netfilter.org> References: <20241114125723.82229-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Jeongjun Park When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists, the values of ip and ip_to are slightly swapped. Therefore, the range check for ip should be done later, but this part is missing and it seems that the vulnerability occurs. So we should add missing range checks and remove unnecessary range checks. Cc: Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support") Signed-off-by: Jeongjun Park Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c index e4fa00abde6a..5988b9bb9029 100644 --- a/net/netfilter/ipset/ip_set_bitmap_ip.c +++ b/net/netfilter/ipset/ip_set_bitmap_ip.c @@ -163,11 +163,8 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[], ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP_TO], &ip_to); if (ret) return ret; - if (ip > ip_to) { + if (ip > ip_to) swap(ip, ip_to); - if (ip < map->first_ip) - return -IPSET_ERR_BITMAP_RANGE; - } } else if (tb[IPSET_ATTR_CIDR]) { u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]); @@ -178,7 +175,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[], ip_to = ip; } - if (ip_to > map->last_ip) + if (ip < map->first_ip || ip_to > map->last_ip) return -IPSET_ERR_BITMAP_RANGE; for (; !before(ip_to, ip); ip += map->hosts) {