Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-28 15:11:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
14fb07130c
linux/net
History
Florian Westphal 14fb07130c netfilter: nf_tables: allow loads only when register is initialized 
Reject rules where a load occurs from a register that has not seen a store
early in the same rule.

commit 4c905f6740 ("netfilter: nf_tables: initialize registers in
nft_do_chain()")
had to add a unconditional memset to the nftables register space to avoid
leaking stack information to userspace.

This memset shows up in benchmarks.  After this change, this commit can
be reverted again.

Note that this breaks userspace compatibility, because theoretically
you can do

  rule 1: reg2 := meta load iif, reg2  == 1 jump ...
  rule 2: reg2 == 2 jump ...   // read access with no store in this rule

... after this change this is rejected.

Neither nftables nor iptables-nft generate such rules, each rule is
always standalone.

This resuts in a small increase of nft_ctx structure by sizeof(long).

To cope with hypothetical rulesets like the example above one could emit
on-demand "reg[x] = 0" store when generating the datapath blob in
nf_tables_commit_chain_prepare().

A patch that does this is linked to below.

For now, lets disable this.  In nf_tables, a rule is the smallest
unit that can be replaced from userspace, i.e. a hypothetical ruleset
that relies on earlier initialisations of registers can't be changed
at will as register usage would need to be coordinated.

Link: https://lore.kernel.org/netfilter-devel/20240627135330.17039-4-fw@strlen.de/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2024-08-20 12:37:24 +02:00
..
6lowpan ipv6: eliminate ndisc_ops_is_useropt() 2024-08-12 17:23:57 -07:00
9p Two fixes headed to stable trees: 2024-05-29 09:25:15 -07:00
802
8021q net: Add struct kernel_ethtool_ts_info 2024-07-15 08:02:26 -07:00
appletalk Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-05-09 10:01:01 -07:00
atm atm: clean up a put_user() calls 2024-06-14 19:08:50 -07:00
ax25 ax25: Replace kfree() in ax25_dev_free() with ax25_dev_put() 2024-06-01 15:49:42 -07:00
batman-adv Revert "batman-adv: prefer kfree_rcu() over call_rcu() with free-only callbacks" 2024-06-12 20:18:00 +02:00
bluetooth Bluetooth: hci_sync: avoid dup filtering when passive scanning with adv monitor 2024-08-07 16:36:01 -04:00
bpf bpf-next-for-netdev 2024-07-09 17:01:46 +02:00
bridge netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
caif net: caif: remove unused structs 2024-06-05 10:18:06 +01:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-27 12:14:11 -07:00
ceph libceph: fix crush_choose_firstn() kernel-doc warnings 2024-07-11 16:33:07 +02:00
core netfilter: nfnetlink_queue: unbreak SCTP traffic 2024-08-19 18:44:50 +02:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-06-27 12:14:11 -07:00
devlink devlink: Constify the 'table_ops' parameter of devl_dpipe_table_register() 2024-06-05 10:24:57 +01:00
dns_resolver
dsa net: dsa: microchip: fix tag_ksz egress mask for KSZ8795 family 2024-08-16 10:25:02 -07:00
ethernet netkit: Fix pkt_type override upon netkit pass verdict 2024-05-25 10:48:57 -07:00
ethtool Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-08-15 17:18:52 -07:00
handshake net/handshake: remove redundant assignment to variable ret 2024-04-16 17:14:55 -07:00
hsr net: hsr: cosmetic: Remove extra white space 2024-06-19 17:32:57 -07:00
ieee802154 bpf-next-for-netdev 2024-05-28 07:27:29 -07:00
ife
ipv4 netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
ipv6 netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
iucv net/iucv: fix use after free in iucv_sock_close() 2024-07-30 15:01:50 +02:00
kcm
key
l2tp l2tp: flush workqueue before draining it 2024-08-11 04:38:50 +01:00
l3mdev
lapb
llc llc: Constify struct llc_sap_state_trans 2024-07-15 08:51:19 -07:00
mac80211 wifi: mac80211: use monitor sdata with driver only if desired 2024-07-26 12:30:49 +02:00
mac802154 net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() 2024-06-03 11:20:56 +02:00
mctp net: mctp: Consistent peer address handling in ioctl tag allocation 2024-08-01 18:04:12 -07:00
mpls mpls: Reduce skb re-allocations due to skb_cow() 2024-08-16 17:53:49 -07:00
mptcp mptcp: correct MPTCP_SUBFLOW_ATTR_SSN_OFFSET reserved size 2024-08-13 19:13:25 -07:00
ncsi net/ncsi: Fix the multi thread manner of NCSI driver 2024-06-01 16:21:44 -07:00
netfilter netfilter: nf_tables: allow loads only when register is initialized 2024-08-20 12:37:24 +02:00
netlabel netlabel: fix RCU annotation for IPv4 options on socket creation 2024-05-13 14:58:12 -07:00
netlink net: netlink: remove the cb_mutex "injection" from netlink core 2024-06-10 13:15:40 +01:00
netrom netrom: Fix a memory leak in nr_heartbeat_expiry() 2024-06-17 13:06:23 +01:00
nfc Quite smaller than usual. Notably it includes the fix for the unix 2024-05-23 12:49:37 -07:00
nsh nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). 2024-04-26 12:20:01 +02:00
openvswitch netfilter: move nf_ct_netns_get out of nf_conncount_init 2024-08-19 18:44:51 +02:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-15 13:19:17 -07:00
phonet sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
psample net: psample: fix flag being set in wrong skb 2024-07-11 18:11:31 -07:00
qrtr net: qrtr: ns: Ignore ENODEV failures in ns 2024-06-14 13:17:21 +02:00
rds net: rds: add option for GCOV profiling 2024-08-09 13:18:46 +01:00
rfkill net: rfkill: Correct return value in invalid parameter case 2024-06-26 10:49:01 +02:00
rose net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
rxrpc rxrpc: Remove unused function declarations 2024-08-02 17:17:34 -07:00
sched sched: act_ct: avoid -Wflex-array-member-not-at-end warning 2024-08-12 17:54:24 -07:00
sctp sctp: Fix null-ptr-deref in reuseport_add_sock(). 2024-08-02 16:25:06 -07:00
smc net/smc: Use static_assert() to check struct sizes 2024-08-12 18:41:42 -07:00
strparser
sunrpc nfsd-6.11 fixes: 2024-08-10 10:44:21 -07:00
switchdev net: bridge: switchdev: Improve error message for port_obj_add/del functions 2024-05-08 12:19:12 +01:00
tipc tipc: guard against string buffer overrun 2024-08-02 17:16:09 -07:00
tls net: tls: Pass union tls_crypto_context pointer to memzero_explicit 2024-07-09 11:14:47 -07:00
unix af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash 2024-07-17 22:49:00 +02:00
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-08-15 17:18:52 -07:00
wireless wifi: cfg80211: correct S1G beacon length calculation 2024-07-26 12:32:47 +02:00
x25 net: change proto and proto_ops accept type 2024-05-13 18:19:09 -06:00
xdp xsk: Require XDP_UMEM_TX_METADATA_LEN to actuate tx_metadata_len 2024-07-25 11:57:27 +02:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-15 13:19:17 -07:00
compat.c
devres.c
Kconfig ethtool: provide customized dim profile management 2024-06-25 17:15:06 -07:00
Kconfig.debug
Makefile
socket.c net: Split a __sys_listen helper for io_uring 2024-06-19 07:57:21 -06:00
sysctl_net.c sysctl: Remove check for sentinel element in ctl_table arrays 2024-06-13 10:50:52 +02:00