[LTS 9.2] netfilter: CVE-2024-27397, CVE-2024-57947, CVE-2025-38120 #803
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jira VULN-7048 cve-pre CVE-2024-27397 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit d111692 This allows to remove an expired element which is not possible in other existing set backends, this is more noticeable if gc-interval is high so expired elements remain in the tree. On-demand gc also does not help in this case, because this is delete element path. Return NULL if element has expired. Fixes: 8d8540c ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Florian Westphal <fw@strlen.de> (cherry picked from commit d111692) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-7048 cve CVE-2024-27397 commit-author Pablo Neira Ayuso <pablo@netfilter.org> commit 7395dfa upstream-diff Omitted changes in `nft_rbtree_gc()' in net/netfilter/nft_set_rbtree.c. Function `nft_rbtree_gc()' was changed from async to sync in 7d259f0 ("nft_set_rbtree: prefer sync gc to async worker"), which was not backported to ciqlts9_2 and `nft_rbtree_gc()' remains asynchronous in this version. The upstream fix 7395dfa left checking current time as it was in the async garbage collectors: "Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue." Similar situation occurred in linux-5.15.y and the fix backported as 0d40e8c omits changes in `nft_rbtree_gc()' as well. Add a timestamp field at the beginning of the transaction, store it in the nftables per-netns area. Update set backend .insert, .deactivate and sync gc path to use the timestamp, this avoids that an element expires while control plane transaction is still unfinished. .lookup and .update, which are used from packet path, still use the current time to check if the element has expired. And .get path and dump also since this runs lockless under rcu read size lock. Then, there is async gc which also needs to check the current time since it runs asynchronously from a workqueue. Fixes: c3e1b00 ("netfilter: nf_tables: add set element timeout support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 7395dfa) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-42212 cve-pre CVE-2024-57947 commit-author Florian Westphal <fw@strlen.de> commit f04df57 upstream-diff Context conflicts resolution in `nft_pipapo_avx2_lookup()'. No actual diff. Those get called from packet path, content must not be modified. No functional changes intended. Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> (cherry picked from commit f04df57) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-42212 cve CVE-2024-57947 commit-author Florian Westphal <fw@strlen.de> commit 791a615 The initial buffer has to be inited to all-ones, but it must restrict it to the size of the first field, not the total field size. After each round in the map search step, the result and the fill map are swapped, so if we have a set where f->bsize of the first element is smaller than m->bsize_max, those one-bits are leaked into future rounds result map. This makes pipapo find an incorrect matching results for sets where first field size is not the largest. Followup patch adds a test case to nft_concat_range.sh selftest script. Thanks to Stefano Brivio for pointing out that we need to zero out the remainder explicitly, only correcting memset() argument isn't enough. Fixes: 3c4287f ("nf_tables: Add set type for arbitrary concatenation of ranges") Reported-by: Yi Chen <yiche@redhat.com> Cc: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit 791a615) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-71797 cve CVE-2025-38120 commit-author Florian Westphal <fw@strlen.de> commit ea77c39 If the first field doesn't cover the entire start map, then we must zero out the remainder, else we leak those bits into the next match round map. The early fix was incomplete and did only fix up the generic C implementation. A followup patch adds a test case to nft_concat_range.sh. Fixes: 791a615 ("netfilter: nf_set_pipapo: fix initial map fill") Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit ea77c39) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[LTS 9.2]
CVE-2024-27397 VULN-7048
CVE-2024-57947 VULN-42212
CVE-2025-38120 VULN-71797
Commits
CVE-2024-27397
The fix for CVE-2024-27397 got "unlocked" after merging #668 where most of the prerequisites fell into place. A small prereq
netfilter: nft_set_rbtree: .deactivate fails if element has expiredwas pulled in to further reduce conflicts. The remaining modifications required are explained in theupstream-diffbelow.CVE-2024-57947 (+ CVE-2025-38120)
The prerequisite f04df57
netfilter: nft_set_pipapo: constify lookup fn args where possiblewasn't strictly necessary, but it's functionally neutral and it helped avoid petty conflicts when backporting the main fix 791a615netfilter: nf_set_pipapo: fix initial map fill. The follow-up ea77c39netfilter: nf_set_pipapo_avx2: fix initial map fillis actually a bugfix for CVE-2024-57947, but it has its own CVE-2025-38120 assigned so it was used in place ofcve-bftag.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed
Reference
kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log
Patch
kselftests–ciqlts9_2-CVE-batch-16–run1.log
kselftests–ciqlts9_2-CVE-batch-16–run2.log
kselftests–ciqlts9_2-CVE-batch-16–run3.log
kselftests–ciqlts9_2-CVE-batch-16–run4.log
kselftests–ciqlts9_2-CVE-batch-16–run5.log
Comparison
The tests results for the reference and the patch are the same.