lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <89dded30-d250-4b7a-b5a8-b18e3b509bf1@leemhuis.info>
Date:   Fri, 29 Sep 2023 13:46:29 +0200
From:   "Linux regression tracking (Thorsten Leemhuis)" 
        <regressions@...mhuis.info>
To:     Florian Westphal <fw@...len.de>,
        Linux regressions mailing list <regressions@...ts.linux.dev>
Cc:     Pablo Neira Ayuso <pablo@...filter.org>,
        Timo Sigurdsson <public_timo.s@...entcreek.de>,
        kadlec@...filter.org, davem@...emloft.net, edumazet@...gle.com,
        kuba@...nel.org, pabeni@...hat.com,
        netfilter-devel@...r.kernel.org, coreteam@...filter.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        stable@...r.kernel.org, sashal@...nel.org, carnil@...ian.org,
        1051592@...s.debian.org
Subject: Re: Regression: Commit "netfilter: nf_tables: disallow rule addition
 to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable

On 12.09.23 12:27, Florian Westphal wrote:
> Linux regression tracking (Thorsten Leemhuis) <regressions@...mhuis.info> wrote:
>> On 12.09.23 00:57, Pablo Neira Ayuso wrote:
>>> Userspace nftables v1.0.6 generates incorrect bytecode that hits a new
>>> kernel check that rejects adding rules to bound chains. The incorrect
>>> bytecode adds the chain binding, attach it to the rule and it adds the
>>> rules to the chain binding. I have cherry-picked these three patches
>>> for nftables v1.0.6 userspace and your ruleset restores fine.
>>> [...]
>>
>> Hmmmm. Well, this sounds like a kernel regression to me that normally
>> should be dealt with on the kernel level, as users after updating the
>> kernel should never have to update any userspace stuff to continue what
>> they have been doing before the kernel update.
> 
> This is a combo of a userspace bug and this new sanity check that
> rejects the incorrect ordering (adding rules to the already-bound
> anonymous chain).
> 
> nf_tables uses a transaction allor-nothing model, this means that any
> error that occurs during a transaction has to be reverse/undo all the
> pending changes.  This has caused a myriad of bugs already.
> 
> So while this can be theoretically fixed in the kernel I don't see
> a sane way to do it.  Error unwinding / recovery from deeply nested
> errors is already too complex for my taste.
> 
>> Can't the kernel somehow detect the incorrect bytecode and do the right
>> thing(tm) somehow?
> 
> Theoretically yes, but I don't feel competent enough to do it, just look
> at all the UaF bugs of the past month.

Thx for the answer. FWIW, as this was a judgement call I mentioned this
in my last regression report to Linus; he didn't reply, so I guess it is
-- and will remove this issue from my tracking:

#regzbot resolve: can be solved by a nftables userspace update; not
nice, but likely best solution in this case
#regzbot ignore-activity

Ciao, Thorsten (wearing his 'the Linux kernel's regression tracker' hat)
--
Everything you wanna know about Linux kernel regression tracking:
https://linux-regtracking.leemhuis.info/about/#tldr
If I did something stupid, please tell me, as explained on that page.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ