Skip to content

[LTS 8.8] netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_… #325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: ciqlts8_8
Choose a base branch
from
Open

[LTS 8.8] netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_… #325

wants to merge 1 commit into from

Conversation

pvts-mat
Copy link
Contributor

@pvts-mat pvts-mat commented Jun 9, 2025

[LTS 8.8]
CVE-2023-42753
VULN-6667

Problem

https://nvd.nist.gov/vuln/detail/CVE-2023-42753

An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.

Original:
https://www.openwall.com/lists/oss-security/2023/09/22/10

Solution

The fix in mainline is given in 050d91c. All official backports have the same form. The fix is already present in Rockys CBR 7.9 (b0f9309), LTS 8.6 (fba0aaf) and LTS 9.4 (ab90fdc, ported by RedHat), all in the same form. It applies to LTS 8.8 smoothly as well.

kABI check: passed

DEBUG=1 CVE=CVE-2023-42753 ./ninja.sh _kabi_checked__x86_64--test--ciqlts8_8-CVE-2023-42753

[0/1] Check ABI of kernel [ciqlts8_8-CVE-2023-42753]
++ uname -m
+ python3 /data/src/ctrliq-github/kernel-dist-git-el-8.8/SOURCES/check-kabi -k /data/src/ctrliq-github/kernel-dist-git-el-8.8/SOURCES/Module.kabi_x86_64 -s vms/x86_64--build--ciqlts8_8/build_files/kernel-src-tree-ciqlts8_8-CVE-2023-42753/Module.symvers
kABI check passed
+ touch state/kernels/ciqlts8_8-CVE-2023-42753/x86_64/kabi_checked

Boot test: passed

boot-test.log

Kselftests: passed relative

Coverage

net (except reuseaddr_conflict, udpgso_bench.sh, gro.sh, ip_defrag.sh, udpgro_fwd.sh, reuseport_addr_any.sh, xfrm_policy.sh, txtimestamp.sh), netfilter (except nft_trans_stress.sh)

Following the discussion on Slack, and having established already what seems to be a set of stable tests for the LTS 8.8 version (no flappy results) - the only remaining reason for running full selftests routine for the last two months - a test run was done this time for the subsystems most likely affected by the change only.

Reference

kselftests–ciqlts8_8–run1.log
kselftests–ciqlts8_8–run2.log

Patch

kselftests–ciqlts8_8-CVE-2023-42753–run1.log
kselftests–ciqlts8_8-CVE-2023-42753–run2.log

Comparison

The test results are the same in the reference and patched kernel (presenting full results comparison)

$ ktests.xsh diff kselftests*.log

Column    File
--------  ----------------------------------------------
Status0   kselftests--ciqlts8_8--run1.log
Status1   kselftests--ciqlts8_8--run2.log
Status2   kselftests--ciqlts8_8-CVE-2023-42753--run1.log
Status3   kselftests--ciqlts8_8-CVE-2023-42753--run2.log

TestCase                              Status0  Status1  Status2  Status3  Summary
net:bareudp.sh                        pass     pass     pass     pass     same
net:devlink_port_split.py             skip     skip     skip     skip     same
net:drop_monitor_tests.sh             skip     skip     skip     skip     same
net:fcnal-test.sh                     skip     skip     skip     skip     same
net:fib-onlink-tests.sh               pass     pass     pass     pass     same
net:fib_rule_tests.sh                 fail     fail     fail     fail     same
net:fib_tests.sh                      pass     pass     pass     pass     same
net:gre_gso.sh                        skip     skip     skip     skip     same
net:icmp_redirect.sh                  pass     pass     pass     pass     same
net:ip6_gre_headroom.sh               pass     pass     pass     pass     same
net:ipv6_flowlabel.sh                 pass     pass     pass     pass     same
net:l2tp.sh                           pass     pass     pass     pass     same
net:msg_zerocopy.sh                   fail     fail     fail     fail     same
net:netdevice.sh                      pass     pass     pass     pass     same
net:pmtu.sh                           pass     pass     pass     pass     same
net:psock_snd.sh                      pass     pass     pass     pass     same
net:reuseport_bpf                     pass     pass     pass     pass     same
net:reuseport_bpf_cpu                 pass     pass     pass     pass     same
net:reuseport_bpf_numa                pass     pass     pass     pass     same
net:reuseport_dualstack               pass     pass     pass     pass     same
net:rps_default_mask.sh               fail     fail     fail     fail     same
net:rtnetlink.sh                      skip     skip     skip     skip     same
net:run_afpackettests                 pass     pass     pass     pass     same
net:run_netsocktests                  pass     pass     pass     pass     same
net:rxtimestamp.sh                    pass     pass     pass     pass     same
net:so_txtime.sh                      fail     fail     fail     fail     same
net:test_bpf.sh                       pass     pass     pass     pass     same
net:test_vxlan_fdb_changelink.sh      pass     pass     pass     pass     same
net:tls                               pass     pass     pass     pass     same
net:traceroute.sh                     pass     pass     pass     pass     same
net:udpgro.sh                         fail     fail     fail     fail     same
net:udpgro_bench.sh                   fail     fail     fail     fail     same
net:udpgso.sh                         pass     pass     pass     pass     same
net:veth.sh                           fail     fail     fail     fail     same
net:vrf-xfrm-tests.sh                 pass     pass     pass     pass     same
netfilter:conntrack_icmp_related.sh   pass     pass     pass     pass     same
netfilter:conntrack_tcp_unreplied.sh  fail     fail     fail     fail     same
netfilter:ipvs.sh                     skip     skip     skip     skip     same
netfilter:nft_flowtable.sh            fail     fail     fail     fail     same
netfilter:nft_meta.sh                 pass     pass     pass     pass     same
netfilter:nft_nat.sh                  fail     fail     fail     fail     same
netfilter:nft_queue.sh                pass     pass     pass     pass     same
netfilter:rpath.sh                    pass     pass     pass     pass     same

Specific tests: could not replicate

An attempt was made to test the change specifically for the patched vulnerability. The CVE author included a proof of concept program at https://www.openwall.com/lists/oss-security/2023/09/22/10/1. Unfortunately, the reported errors could not have been reproduced using this tool. The program was compiled and run on the reference kernel for two architectures x86_64 and aarch64, using kernel configuration with CONFIG_UBSAN enabled. What was expected were UBSAN's array-index-out-of-bounds messages similar to those given at https://www.openwall.com/lists/oss-security/2023/09/22/10.

===================== [Splash] ========================
[    6.059960] UBSAN: array-index-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:344:2
[    6.061493] index -1 is out of range for type 'struct net_prefixes[128]'
[    6.062601] CPU: 0 PID: 452 Comm: poc Not tainted 6.5.0+ #56
[    6.063538] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
[    6.064455] Call Trace:
[    6.064570]  <TASK>
[    6.064675]  dump_stack_lvl+0x54/0x70
[    6.064848]  __ubsan_handle_out_of_bounds+0xd6/0x100
...

Instead the program was finishing without errors and the machine kept working fine. The specific tests were then abandoned.

@pvts-mat
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_…
e82a457 
…set_hash_netportnet.c

jira VULN-6667
cve CVE-2023-42753
commit-author Kyle Zeng <zengyhkyle@gmail.com>
commit 050d91c

The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can
lead to the use of wrong `CIDR_POS(c)` for calculating array offsets,
which can lead to integer underflow. As a result, it leads to slab
out-of-bound access.
This patch adds back the IP_SET_HASH_WITH_NET0 macro to
ip_set_hash_netportnet to address the issue.

Fixes: 886503f ("netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net")
	Suggested-by: Jozsef Kadlecsik <kadlec@netfilter.org>
	Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
	Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
	Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit 050d91c)
	Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
@pvts-mat pvts-mat mentioned this pull request Jun 9, 2025
Open
PlaidCat
PlaidCat approved these changes Jun 9, 2025
View reviewed changes
Copy link
Collaborator

@PlaidCat PlaidCat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

bmastbergen
bmastbergen approved these changes Jun 10, 2025
View reviewed changes
Copy link
Collaborator

@bmastbergen bmastbergen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥌

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@PlaidCat PlaidCat PlaidCat approved these changes

@bmastbergen bmastbergen bmastbergen approved these changes

@kerneltoast kerneltoast Awaiting requested review from kerneltoast

@thefossguy-ciq thefossguy-ciq Awaiting requested review from thefossguy-ciq

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@pvts-mat @PlaidCat @bmastbergen