netfilter: nf_tables: discard table flag update with pending basechain deletion

PlaidCat · PlaidCat · commit 3c5d45cd1798 · 2024-09-12T12:21:52.000-04:00
jira LE-1907 cve CVE-2024-35897 Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 1bc83a0 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/1bc83a01.failed Hook unregistration is deferred to the commit phase, same occurs with hook updates triggered by the table dormant flag. When both commands are combined, this results in deleting a basechain while leaving its hook still registered in the core. Fixes: 179d9ba ("netfilter: nf_tables: fix table flag updates") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 1bc83a0) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/netfilter/nf_tables_api.c
diff --git a/ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/1bc83a01.failed b/ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/1bc83a01.failed
@@ -0,0 +1,63 @@
+netfilter: nf_tables: discard table flag update with pending basechain deletion
+
+jira LE-1907
+cve CVE-2024-35897
+Rebuild_History Non-Buildable kernel-4.18.0-553.16.1.el8_10
+commit-author Pablo Neira Ayuso <pablo@netfilter.org>
+commit 1bc83a019bbe268be3526406245ec28c2458a518
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-4.18.0-553.16.1.el8_10/1bc83a01.failed
+
+Hook unregistration is deferred to the commit phase, same occurs with
+hook updates triggered by the table dormant flag. When both commands are
+combined, this results in deleting a basechain while leaving its hook
+still registered in the core.
+
+Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
+	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit 1bc83a019bbe268be3526406245ec28c2458a518)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/netfilter/nf_tables_api.c
+diff --cc net/netfilter/nf_tables_api.c
+index 6dfe5eb2c32e,d89d77946719..000000000000
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@@ -952,8 -1195,30 +952,33 @@@ static void nf_tables_table_disable(str
+  #define __NFT_TABLE_F_INTERNAL		(NFT_TABLE_F_MASK + 1)
+  #define __NFT_TABLE_F_WAS_DORMANT	(__NFT_TABLE_F_INTERNAL << 0)
+  #define __NFT_TABLE_F_WAS_AWAKEN	(__NFT_TABLE_F_INTERNAL << 1)
+ -#define __NFT_TABLE_F_WAS_ORPHAN	(__NFT_TABLE_F_INTERNAL << 2)
+  #define __NFT_TABLE_F_UPDATE		(__NFT_TABLE_F_WAS_DORMANT | \
+++<<<<<<< HEAD
+ +					 __NFT_TABLE_F_WAS_AWAKEN)
+++=======
++ 					 __NFT_TABLE_F_WAS_AWAKEN | \
++ 					 __NFT_TABLE_F_WAS_ORPHAN)
++ 
++ static bool nft_table_pending_update(const struct nft_ctx *ctx)
++ {
++ 	struct nftables_pernet *nft_net = nft_pernet(ctx->net);
++ 	struct nft_trans *trans;
++ 
++ 	if (ctx->table->flags & __NFT_TABLE_F_UPDATE)
++ 		return true;
++ 
++ 	list_for_each_entry(trans, &nft_net->commit_list, list) {
++ 		if (trans->ctx.table == ctx->table &&
++ 		    ((trans->msg_type == NFT_MSG_NEWCHAIN &&
++ 		      nft_trans_chain_update(trans)) ||
++ 		     (trans->msg_type == NFT_MSG_DELCHAIN &&
++ 		      nft_is_base_chain(trans->ctx.chain))))
++ 			return true;
++ 	}
++ 
++ 	return false;
++ }
+++>>>>>>> 1bc83a019bbe (netfilter: nf_tables: discard table flag update with pending basechain deletion)
+  
+  static int nf_tables_updtable(struct nft_ctx *ctx)
+  {
+* Unmerged path net/netfilter/nf_tables_api.c
