Fixes: 4bedf9eee016 ("netfilter: nf_tables: fix chain binding transaction logic")
Reported-by: Kevin Rich <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>
(cherry picked from commit 0a771f7b266b02d262900c75f1e175c7fe76fec2)
CVE-2023-4015
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Timo Aaltonen <email address hidden>
23d5311...
by
Pablo Neira Ayuso <email address hidden>
netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID
Bail out with EOPNOTSUPP when adding rule to bound chain via
NFTA_RULE_CHAIN_ID. The following warning splat is shown when
adding a rule to a deleted bound chain:
Fixes: d0e2c7de92c7 ("netfilter: nf_tables: add NFT_CHAIN_BINDING")
Reported-by: Kevin Rich <email address hidden>
Signed-off-by: Pablo Neira Ayuso <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>
(cherry picked from commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8)
CVE-2023-3777
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Timo Aaltonen <email address hidden>
99227d4...
by
"Borislav Petkov (AMD)" <email address hidden>
x86/cpu/amd: Move the errata checking functionality up
Avoid new and remove old forward declarations.
No functional changes.
Signed-off-by: Borislav Petkov (AMD) <email address hidden>
(backported from commit 8b6f687743dacce83dbb0c7cfacf88bab00f808a)
[cascardo: small context conflict at set_dr_addr_mask]
CVE-2023-20593
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Timo Aaltonen <email address hidden>
d5e9a8f...
by
Florian Westphal <email address hidden>
netfilter: nft_set_pipapo: fix improper element removal
end key should be equal to start unless NFT_SET_EXT_KEY_END is present.
Its possible to add elements that only have a start key
("{ 1.0.0.0 . 2.0.0.0 }") without an internval end.
Insertion treats this via:
if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END))
end = (const u8 *)nft_set_ext_key_end(ext)->data;
else
end = start;
but removal side always uses nft_set_ext_key_end().
This is wrong and leads to garbage remaining in the set after removal
next lookup/insert attempt will give:
BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90
Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399
Call Trace:
kasan_report+0x105/0x140
pipapo_get+0x8eb/0xb90
nft_pipapo_insert+0x1dc/0x1710
nf_tables_newsetelem+0x31f5/0x4e00
..
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Reported-by: lonial con <email address hidden>
Reviewed-by: Stefano Brivio <email address hidden>
Signed-off-by: Florian Westphal <email address hidden>
(cherry picked from commit 87b5a5c209405cb6b57424cdfa226a6dbd349232)
CVE-2023-4004
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Signed-off-by: Timo Aaltonen <email address hidden>
This change causes regression when eDP and external display in mirror
mode. When external display supports low resolution than eDP, use eDP
timing to driver external display may cause corruption on external
display.
This reverts commit e749dd10e5f292061ad63d2b030194bf7d7d452c.