netfilter: nf_tables: prefer nft_chain_validate

PlaidCat · PlaidCat · commit dce3a507be78 · 2025-06-06T13:32:50.000-04:00
jira LE-3201 cve CVE-2024-41042 Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10 commit-author Florian Westphal <fw@strlen.de> commit cff3bd0 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/cff3bd01.failed nft_chain_validate already performs loop detection because a cycle will result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE). It also follows maps via ->validate callback in nft_lookup, so there appears no reason to iterate the maps again. nf_tables_check_loops() and all its helper functions can be removed. This improves ruleset load time significantly, from 23s down to 12s. This also fixes a crash bug. Old loop detection code can result in unbounded recursion: BUG: TASK stack guard page was hit at .... Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1 [..] with a suitable ruleset during validation of register stores. I can't see any actual reason to attempt to check for this from nft_validate_register_store(), at this point the transaction is still in progress, so we don't have a full picture of the rule graph. For nf-next it might make sense to either remove it or make this depend on table->validate_state in case we could catch an error earlier (for improved error reporting to userspace). Fixes: 20a6934 ("netfilter: nf_tables: add netlink set API") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> (cherry picked from commit cff3bd0) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # net/netfilter/nf_tables_api.c
diff --git a/ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/cff3bd01.failed b/ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/cff3bd01.failed
@@ -0,0 +1,162 @@
+netfilter: nf_tables: prefer nft_chain_validate
+
+jira LE-3201
+cve CVE-2024-41042
+Rebuild_History Non-Buildable kernel-rt-4.18.0-553.27.1.rt7.368.el8_10
+commit-author Florian Westphal <fw@strlen.de>
+commit cff3bd012a9512ac5ed858d38e6ed65f6391008c
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-rt-4.18.0-553.27.1.rt7.368.el8_10/cff3bd01.failed
+
+nft_chain_validate already performs loop detection because a cycle will
+result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).
+
+It also follows maps via ->validate callback in nft_lookup, so there
+appears no reason to iterate the maps again.
+
+nf_tables_check_loops() and all its helper functions can be removed.
+This improves ruleset load time significantly, from 23s down to 12s.
+
+This also fixes a crash bug. Old loop detection code can result in
+unbounded recursion:
+
+BUG: TASK stack guard page was hit at ....
+Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN
+CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1
+[..]
+
+with a suitable ruleset during validation of register stores.
+
+I can't see any actual reason to attempt to check for this from
+nft_validate_register_store(), at this point the transaction is still in
+progress, so we don't have a full picture of the rule graph.
+
+For nf-next it might make sense to either remove it or make this depend
+on table->validate_state in case we could catch an error earlier
+(for improved error reporting to userspace).
+
+Fixes: 20a69341f2d0 ("netfilter: nf_tables: add netlink set API")
+	Signed-off-by: Florian Westphal <fw@strlen.de>
+	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+(cherry picked from commit cff3bd012a9512ac5ed858d38e6ed65f6391008c)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	net/netfilter/nf_tables_api.c
+diff --cc net/netfilter/nf_tables_api.c
+index a8d03cec29c3,91cc3a81ba8f..000000000000
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@@ -8781,107 -10821,6 +8793,110 @@@ int nft_chain_validate_hooks(const stru
+  }
+  EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
+  
+++<<<<<<< HEAD
+ +/*
+ + * Loop detection - walk through the ruleset beginning at the destination chain
+ + * of a new jump until either the source chain is reached (loop) or all
+ + * reachable chains have been traversed.
+ + *
+ + * The loop check is performed whenever a new jump verdict is added to an
+ + * expression or verdict map or a verdict map is bound to a new chain.
+ + */
+ +
+ +static int nf_tables_check_loops(const struct nft_ctx *ctx,
+ +				 const struct nft_chain *chain);
+ +
+ +static int nf_tables_loop_check_setelem(const struct nft_ctx *ctx,
+ +					struct nft_set *set,
+ +					const struct nft_set_iter *iter,
+ +					struct nft_set_elem *elem)
+ +{
+ +	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+ +	const struct nft_data *data;
+ +
+ +	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
+ +	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
+ +		return 0;
+ +
+ +	data = nft_set_ext_data(ext);
+ +	switch (data->verdict.code) {
+ +	case NFT_JUMP:
+ +	case NFT_GOTO:
+ +		return nf_tables_check_loops(ctx, data->verdict.chain);
+ +	default:
+ +		return 0;
+ +	}
+ +}
+ +
+ +static int nf_tables_check_loops(const struct nft_ctx *ctx,
+ +				 const struct nft_chain *chain)
+ +{
+ +	const struct nft_rule *rule;
+ +	const struct nft_expr *expr, *last;
+ +	struct nft_set *set;
+ +	struct nft_set_binding *binding;
+ +	struct nft_set_iter iter;
+ +
+ +	if (ctx->chain == chain)
+ +		return -ELOOP;
+ +
+ +	list_for_each_entry(rule, &chain->rules, list) {
+ +		nft_rule_for_each_expr(expr, last, rule) {
+ +			struct nft_immediate_expr *priv;
+ +			const struct nft_data *data;
+ +			int err;
+ +
+ +			if (strcmp(expr->ops->type->name, "immediate"))
+ +				continue;
+ +
+ +			priv = nft_expr_priv(expr);
+ +			if (priv->dreg != NFT_REG_VERDICT)
+ +				continue;
+ +
+ +			data = &priv->data;
+ +			switch (data->verdict.code) {
+ +			case NFT_JUMP:
+ +			case NFT_GOTO:
+ +				err = nf_tables_check_loops(ctx,
+ +							data->verdict.chain);
+ +				if (err < 0)
+ +					return err;
+ +				break;
+ +			default:
+ +				break;
+ +			}
+ +		}
+ +	}
+ +
+ +	list_for_each_entry(set, &ctx->table->sets, list) {
+ +		if (!nft_is_active_next(ctx->net, set))
+ +			continue;
+ +		if (!(set->flags & NFT_SET_MAP) ||
+ +		    set->dtype != NFT_DATA_VERDICT)
+ +			continue;
+ +
+ +		list_for_each_entry(binding, &set->bindings, list) {
+ +			if (!(binding->flags & NFT_SET_MAP) ||
+ +			    binding->chain != chain)
+ +				continue;
+ +
+ +			iter.genmask	= nft_genmask_next(ctx->net);
+ +			iter.skip 	= 0;
+ +			iter.count	= 0;
+ +			iter.err	= 0;
+ +			iter.fn		= nf_tables_loop_check_setelem;
+ +
+ +			set->ops->walk(ctx, set, &iter);
+ +			if (iter.err < 0)
+ +				return iter.err;
+ +		}
+ +	}
+ +
+ +	return 0;
+ +}
+ +
+++=======
+++>>>>>>> cff3bd012a95 (netfilter: nf_tables: prefer nft_chain_validate)
+  /**
+   *	nft_parse_u32_check - fetch u32 attribute and check for maximum value
+   *
+* Unmerged path net/netfilter/nf_tables_api.c
