[linux] 01/01: netfilter: nft_set_hash: disable fast_ops for 2-len keys

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Nov 4 15:49:15 UTC 2017 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch sid
in repository linux.

commit e7fd57b49fd7c877949e6be1ee4c253059d4016f
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Sat Nov 4 15:43:16 2017 +0100

    netfilter: nft_set_hash: disable fast_ops for 2-len keys
    
    Closes: #880145
---
 debian/changelog                                   |  1 +
 ...ft_set_hash-disable-fast_ops-for-2-len-ke.patch | 57 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 59 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index cdd3c43..6ed0f18 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -50,6 +50,7 @@ linux (4.13.11-1) UNRELEASED; urgency=medium
   [ Salvatore Bonaccorso ]
   * cifs: check MaxPathNameComponentLength != 0 before using it.
     Thanks to Andrew Chadwick (Closes: #880504)
+  * netfilter: nft_set_hash: disable fast_ops for 2-len keys (Closes: #880145)
 
  -- Salvatore Bonaccorso <carnil at debian.org>  Sat, 04 Nov 2017 09:54:41 +0100
 
diff --git a/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch b/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
new file mode 100644
index 0000000..acfb365
--- /dev/null
+++ b/debian/patches/bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
@@ -0,0 +1,57 @@
+From: Anatole Denis <anatole at rezel.net>
+Date: Wed, 4 Oct 2017 01:17:14 +0100
+Subject: netfilter: nft_set_hash: disable fast_ops for 2-len keys
+Origin: https://git.kernel.org/linus/0414c78f14861cb704d6e6888efd53dd36e3bdde
+Bug-Debian: https://bugs.debian.org/880145
+
+jhash_1word of a u16 is a different value from jhash of the same u16 with
+length 2.
+Since elements are always inserted in sets using jhash over the actual
+klen, this would lead to incorrect lookups on fixed-size sets with a key
+length of 2, as they would be inserted with hash value jhash(key, 2) and
+looked up with hash value jhash_1word(key), which is different.
+
+Example reproducer(v4.13+), using anonymous sets which always have a
+fixed size:
+
+  table inet t {
+      chain c {
+                  type filter hook output priority 0; policy accept;
+                  tcp dport { 10001, 10003, 10005, 10007, 10009 } counter packets 4 bytes 240 reject
+                  tcp dport 10001 counter packets 4 bytes 240 reject
+                  tcp dport 10003 counter packets 4 bytes 240 reject
+                  tcp dport 10005 counter packets 4 bytes 240 reject
+                  tcp dport 10007 counter packets 0 bytes 0 reject
+                  tcp dport 10009 counter packets 4 bytes 240 reject
+          }
+  }
+
+then use nc -z localhost <port> to probe; incorrectly hashed ports will
+pass through the set lookup and increment the counter of an individual
+rule.
+
+jhash being seeded with a random value, it is not deterministic which
+ports will incorrectly hash, but in testing with 5 ports in the set I
+always had 4 or 5 with an incorrect hash value.
+
+Signed-off-by: Anatole Denis <anatole at rezel.net>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nft_set_hash.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
+index 0fa01d772c5e..9c0d5a7ce5f9 100644
+--- a/net/netfilter/nft_set_hash.c
++++ b/net/netfilter/nft_set_hash.c
+@@ -643,7 +643,6 @@ nft_hash_select_ops(const struct nft_ctx *ctx, const struct nft_set_desc *desc,
+ {
+ 	if (desc->size) {
+ 		switch (desc->klen) {
+-		case 2:
+ 		case 4:
+ 			return &nft_hash_fast_ops;
+ 		default:
+-- 
+2.11.0
+
diff --git a/debian/patches/series b/debian/patches/series
index c908afc..921f6fd 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -79,6 +79,7 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 bugfix/all/bfq-re-enable-auto-loading-when-built-as-a-module.patch
 bugfix/all/cifs-check-MaxPathNameComponentLength-0-before-using.patch
+bugfix/all/netfilter-nft_set_hash-disable-fast_ops-for-2-len-ke.patch
 
 # Miscellaneous features
 

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list