[pve-devel] [PATCH kernel] add patch to fix ipset memory exhaustion

David Limbeck d.limbeck at proxmox.com
Wed Feb 20 14:08:22 CET 2019


Add a patch from upstream until it is fixed in the Ubuntu 4.15 kernel.

Signed-off-by: David Limbeck <d.limbeck at proxmox.com>
---
 ...ter-ipset-Fix-wraparound-n-hash-net-types.patch | 318 +++++++++++++++++++++
 1 file changed, 318 insertions(+)
 create mode 100644 patches/kernel/0010-netfilter-ipset-Fix-wraparound-n-hash-net-types.patch

diff --git a/patches/kernel/0010-netfilter-ipset-Fix-wraparound-n-hash-net-types.patch b/patches/kernel/0010-netfilter-ipset-Fix-wraparound-n-hash-net-types.patch
new file mode 100644
index 0000000..282e380
--- /dev/null
+++ b/patches/kernel/0010-netfilter-ipset-Fix-wraparound-n-hash-net-types.patch
@@ -0,0 +1,318 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
+Date: Fri, 12 Jan 2018 11:16:50 +0100
+Subject: [PATCH] netfilter: ipset: Fix wraparound in hash:*net* types
+
+Fix wraparound bug which could lead to memory exhaustion when adding an
+x.x.x.x-255.255.255.255 range to any hash:*net* types.
+
+Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark.
+
+Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
+Signed-off-by: Jozsef Kadlecsik <kadlec at blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/ipset/ip_set_hash_ipportnet.c  | 26 ++++++++++-----------
+ net/netfilter/ipset/ip_set_hash_net.c        |  9 ++++---
+ net/netfilter/ipset/ip_set_hash_netiface.c   |  9 ++++---
+ net/netfilter/ipset/ip_set_hash_netnet.c     | 28 +++++++++++-----------
+ net/netfilter/ipset/ip_set_hash_netport.c    | 19 ++++++++-------
+ net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++++++++++++++--------------
+ 6 files changed, 63 insertions(+), 63 deletions(-)
+
+diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
+index 0f164e986bf1..88b83d6d3084 100644
+--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
++++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
+@@ -168,7 +168,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 };
+ 	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
+ 	u32 ip = 0, ip_to = 0, p = 0, port, port_to;
+-	u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
++	u32 ip2_from = 0, ip2_to = 0, ip2;
+ 	bool with_ports = false;
+ 	u8 cidr;
+ 	int ret;
+@@ -269,22 +269,21 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 		ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1);
+ 	}
+ 
+-	if (retried)
++	if (retried) {
+ 		ip = ntohl(h->next.ip);
++		p = ntohs(h->next.port);
++		ip2 = ntohl(h->next.ip2);
++	} else {
++		p = port;
++		ip2 = ip2_from;
++	}
+ 	for (; ip <= ip_to; ip++) {
+ 		e.ip = htonl(ip);
+-		p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
+-						       : port;
+ 		for (; p <= port_to; p++) {
+ 			e.port = htons(p);
+-			ip2 = retried &&
+-			      ip == ntohl(h->next.ip) &&
+-			      p == ntohs(h->next.port)
+-				? ntohl(h->next.ip2) : ip2_from;
+-			while (ip2 <= ip2_to) {
++			do {
+ 				e.ip2 = htonl(ip2);
+-				ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
+-								&cidr);
++				ip2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr);
+ 				e.cidr = cidr - 1;
+ 				ret = adtfn(set, &e, &ext, &ext, flags);
+ 
+@@ -292,9 +291,10 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 					return ret;
+ 
+ 				ret = 0;
+-				ip2 = ip2_last + 1;
+-			}
++			} while (ip2++ < ip2_to);
++			ip2 = ip2_from;
+ 		}
++		p = port;
+ 	}
+ 	return ret;
+ }
+diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
+index 1c67a1761e45..5449e23af13a 100644
+--- a/net/netfilter/ipset/ip_set_hash_net.c
++++ b/net/netfilter/ipset/ip_set_hash_net.c
+@@ -143,7 +143,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	ipset_adtfn adtfn = set->variant->adt[adt];
+ 	struct hash_net4_elem e = { .cidr = HOST_MASK };
+ 	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
+-	u32 ip = 0, ip_to = 0, last;
++	u32 ip = 0, ip_to = 0;
+ 	int ret;
+ 
+ 	if (tb[IPSET_ATTR_LINENO])
+@@ -193,16 +193,15 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	}
+ 	if (retried)
+ 		ip = ntohl(h->next.ip);
+-	while (ip <= ip_to) {
++	do {
+ 		e.ip = htonl(ip);
+-		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
++		ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
+ 		ret = adtfn(set, &e, &ext, &ext, flags);
+ 		if (ret && !ip_set_eexist(ret, flags))
+ 			return ret;
+ 
+ 		ret = 0;
+-		ip = last + 1;
+-	}
++	} while (ip++ < ip_to);
+ 	return ret;
+ }
+ 
+diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
+index d417074f1c1a..f5164c1efce2 100644
+--- a/net/netfilter/ipset/ip_set_hash_netiface.c
++++ b/net/netfilter/ipset/ip_set_hash_netiface.c
+@@ -200,7 +200,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	ipset_adtfn adtfn = set->variant->adt[adt];
+ 	struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
+ 	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
+-	u32 ip = 0, ip_to = 0, last;
++	u32 ip = 0, ip_to = 0;
+ 	int ret;
+ 
+ 	if (tb[IPSET_ATTR_LINENO])
+@@ -255,17 +255,16 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 
+ 	if (retried)
+ 		ip = ntohl(h->next.ip);
+-	while (ip <= ip_to) {
++	do {
+ 		e.ip = htonl(ip);
+-		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
++		ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
+ 		ret = adtfn(set, &e, &ext, &ext, flags);
+ 
+ 		if (ret && !ip_set_eexist(ret, flags))
+ 			return ret;
+ 
+ 		ret = 0;
+-		ip = last + 1;
+-	}
++	} while (ip++ < ip_to);
+ 	return ret;
+ }
+ 
+diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
+index 7f9ae2e9645b..5a2b923bd81f 100644
+--- a/net/netfilter/ipset/ip_set_hash_netnet.c
++++ b/net/netfilter/ipset/ip_set_hash_netnet.c
+@@ -169,8 +169,8 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	ipset_adtfn adtfn = set->variant->adt[adt];
+ 	struct hash_netnet4_elem e = { };
+ 	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
+-	u32 ip = 0, ip_to = 0, last;
+-	u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
++	u32 ip = 0, ip_to = 0;
++	u32 ip2 = 0, ip2_from = 0, ip2_to = 0;
+ 	int ret;
+ 
+ 	if (tb[IPSET_ATTR_LINENO])
+@@ -247,27 +247,27 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 		ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
+ 	}
+ 
+-	if (retried)
++	if (retried) {
+ 		ip = ntohl(h->next.ip[0]);
++		ip2 = ntohl(h->next.ip[1]);
++	} else {
++		ip2 = ip2_from;
++	}
+ 
+-	while (ip <= ip_to) {
++	do {
+ 		e.ip[0] = htonl(ip);
+-		last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
+-		ip2 = (retried &&
+-		       ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
+-						   : ip2_from;
+-		while (ip2 <= ip2_to) {
++		ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
++		do {
+ 			e.ip[1] = htonl(ip2);
+-			last2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
++			ip2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
+ 			ret = adtfn(set, &e, &ext, &ext, flags);
+ 			if (ret && !ip_set_eexist(ret, flags))
+ 				return ret;
+ 
+ 			ret = 0;
+-			ip2 = last2 + 1;
+-		}
+-		ip = last + 1;
+-	}
++		} while (ip2++ < ip2_to);
++		ip2 = ip2_from;
++	} while (ip++ < ip_to);
+ 	return ret;
+ }
+ 
+diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
+index e6ef382febe4..1a187be9ebc8 100644
+--- a/net/netfilter/ipset/ip_set_hash_netport.c
++++ b/net/netfilter/ipset/ip_set_hash_netport.c
+@@ -161,7 +161,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	ipset_adtfn adtfn = set->variant->adt[adt];
+ 	struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 };
+ 	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
+-	u32 port, port_to, p = 0, ip = 0, ip_to = 0, last;
++	u32 port, port_to, p = 0, ip = 0, ip_to = 0;
+ 	bool with_ports = false;
+ 	u8 cidr;
+ 	int ret;
+@@ -239,25 +239,26 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 		ip_set_mask_from_to(ip, ip_to, e.cidr + 1);
+ 	}
+ 
+-	if (retried)
++	if (retried) {
+ 		ip = ntohl(h->next.ip);
+-	while (ip <= ip_to) {
++		p = ntohs(h->next.port);
++	} else {
++		p = port;
++	}
++	do {
+ 		e.ip = htonl(ip);
+-		last = ip_set_range_to_cidr(ip, ip_to, &cidr);
++		ip = ip_set_range_to_cidr(ip, ip_to, &cidr);
+ 		e.cidr = cidr - 1;
+-		p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
+-						       : port;
+ 		for (; p <= port_to; p++) {
+ 			e.port = htons(p);
+ 			ret = adtfn(set, &e, &ext, &ext, flags);
+-
+ 			if (ret && !ip_set_eexist(ret, flags))
+ 				return ret;
+ 
+ 			ret = 0;
+ 		}
+-		ip = last + 1;
+-	}
++		p = port;
++	} while (ip++ < ip_to);
+ 	return ret;
+ }
+ 
+diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
+index 8602f2595a1a..d391485a6acd 100644
+--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
++++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
+@@ -184,8 +184,8 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 	ipset_adtfn adtfn = set->variant->adt[adt];
+ 	struct hash_netportnet4_elem e = { };
+ 	struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
+-	u32 ip = 0, ip_to = 0, ip_last, p = 0, port, port_to;
+-	u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
++	u32 ip = 0, ip_to = 0, p = 0, port, port_to;
++	u32 ip2_from = 0, ip2_to = 0, ip2;
+ 	bool with_ports = false;
+ 	int ret;
+ 
+@@ -288,33 +288,34 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
+ 		ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
+ 	}
+ 
+-	if (retried)
++	if (retried) {
+ 		ip = ntohl(h->next.ip[0]);
++		p = ntohs(h->next.port);
++		ip2 = ntohl(h->next.ip[1]);
++	} else {
++		p = port;
++		ip2 = ip2_from;
++	}
+ 
+-	while (ip <= ip_to) {
++	do {
+ 		e.ip[0] = htonl(ip);
+-		ip_last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
+-		p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port)
+-							  : port;
++		ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
+ 		for (; p <= port_to; p++) {
+ 			e.port = htons(p);
+-			ip2 = (retried && ip == ntohl(h->next.ip[0]) &&
+-			       p == ntohs(h->next.port)) ? ntohl(h->next.ip[1])
+-							 : ip2_from;
+-			while (ip2 <= ip2_to) {
++			do {
+ 				e.ip[1] = htonl(ip2);
+-				ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
+-								&e.cidr[1]);
++				ip2 = ip_set_range_to_cidr(ip2, ip2_to,
++							   &e.cidr[1]);
+ 				ret = adtfn(set, &e, &ext, &ext, flags);
+ 				if (ret && !ip_set_eexist(ret, flags))
+ 					return ret;
+ 
+ 				ret = 0;
+-				ip2 = ip2_last + 1;
+-			}
++			} while (ip2++ < ip2_to);
++			ip2 = ip2_from;
+ 		}
+-		ip = ip_last + 1;
+-	}
++		p = port;
++	} while (ip++ < ip_to);
+ 	return ret;
+ }
+ 
+-- 
+2.11.0
+
-- 
2.11.0




More information about the pve-devel mailing list