commit: ce90c103e4de17a41a31759377ca58c4d197acfb Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Sat Jul 6 04:55:59 2024 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Sat Jul 6 04:55:59 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ce90c103
net-firewall/ipset: backport buffer overflow fixes This fixes an environment issue we were hitting on infra. Signed-off-by: Sam James <sam <AT> gentoo.org> .../ipset/files/ipset-7.22-argv-bounds.patch | 36 +++++++ .../files/ipset-7.22-asan-buffer-overflow.patch | 52 +++++++++ net-firewall/ipset/ipset-7.22-r1.ebuild | 120 +++++++++++++++++++++ 3 files changed, 208 insertions(+) diff --git a/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch b/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch new file mode 100644 index 000000000000..07d18303642e --- /dev/null +++ b/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch @@ -0,0 +1,36 @@ +https://git.netfilter.org/ipset/commit/?id=851cb04ffee5040f1e0063f77c3fe9bc6245e0fb + +From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001 +From: Phil Sutter <p...@nwl.cc> +Date: Thu, 27 Jun 2024 10:18:17 +0200 +Subject: lib: ipset: Avoid 'argv' array overstepping + +The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv' +array size. The maximum allowed array index is therefore argc-1. + +This fix will leave items in argv non-NULL-terminated, so explicitly +NULL the formerly last entry after shifting. + +Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor +valgrind. Yet adding debug output printing argv entries being copied +did. + +Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5") +Signed-off-by: Phil Sutter <p...@nwl.cc> +Signed-off-by: Jozsef Kadlecsik <kad...@netfilter.org> +--- a/lib/ipset.c ++++ b/lib/ipset.c +@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from) + + assert(*argc >= from + 1); + +- for (i = from + 1; i <= *argc; i++) ++ for (i = from + 1; i < *argc; i++) + argv[i-1] = argv[i]; +- (*argc)--; ++ argv[--(*argc)] = NULL; + return; + } + +-- +cgit v1.2.3 diff --git a/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch b/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch new file mode 100644 index 000000000000..56d126db5efa --- /dev/null +++ b/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch @@ -0,0 +1,52 @@ +https://git.netfilter.org/ipset/commit/?id=f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 + +From f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 Mon Sep 17 00:00:00 2001 +From: Phil Sutter <p...@nwl.cc> +Date: Thu, 27 Jun 2024 10:18:16 +0200 +Subject: lib: data: Fix for global-buffer-overflow warning by ASAN + +After compiling with CFLAGS="-fsanitize=address -g", running the +testsuite triggers the following warning: + +| ipmap: Range: Check syntax error: missing range/from-to: FAILED +| Failed test: ../src/ipset 2>.foo.err -N test ipmap +| ================================================================= +| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8 +| READ of size 32 at 0x55a21e77172a thread T0 +| #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899 +| #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119 +| #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349 +| #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819 +| #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205 +| #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344 +| #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38 +| #7 0x7f1ef224cf09 (/lib64/libc.so.6+0x23f09) +| #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4) +| #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040) +| +| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19 +| '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO' +| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10 +| '*.LC0' is ascii string 'bitmap:ip' + +Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In +contrast to strncpy(), memcpy() does not respect NUL-chars in input but +stubbornly reads as many bytes as specified. + +Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning") +Signed-off-by: Phil Sutter <p...@nwl.cc> +Signed-off-by: Jozsef Kadlecsik <kad...@netfilter.org> +--- a/lib/data.c ++++ b/lib/data.c +@@ -111,6 +111,9 @@ ipset_strlcpy(char *dst, const char *src, size_t len) + assert(dst); + assert(src); + ++ if (strlen(src) < len) ++ len = strlen(src) + 1; ++ + memcpy(dst, src, len); + dst[len - 1] = '\0'; + } +-- +cgit v1.2.3 diff --git a/net-firewall/ipset/ipset-7.22-r1.ebuild b/net-firewall/ipset/ipset-7.22-r1.ebuild new file mode 100644 index 000000000000..bd7d4862f0d3 --- /dev/null +++ b/net-firewall/ipset/ipset-7.22-r1.ebuild @@ -0,0 +1,120 @@ +# Copyright 1999-2024 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +MODULES_OPTIONAL_IUSE=modules +inherit autotools bash-completion-r1 linux-mod-r1 systemd + +DESCRIPTION="IPset tool for iptables, successor to ippool" +HOMEPAGE="https://ipset.netfilter.org/ https://git.netfilter.org/ipset/"; +SRC_URI="https://ipset.netfilter.org/${P}.tar.bz2"; + +LICENSE="GPL-2" +SLOT="0" +KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~x86" + +RDEPEND=" + net-firewall/iptables + net-libs/libmnl:= +" +DEPEND="${RDEPEND}" +BDEPEND="virtual/pkgconfig" + +DOCS=( ChangeLog INSTALL README UPGRADE ) + +# configurable from outside, e.g. /etc/portage/make.conf +IP_NF_SET_MAX=${IP_NF_SET_MAX:-256} + +PATCHES=( + "${FILESDIR}/${PN}-bash-completion.patch" + "${FILESDIR}/${P}-asan-buffer-overflow.patch" + "${FILESDIR}/${P}-argv-bounds.patch" +) + +src_prepare() { + default + eautoreconf +} + +pkg_setup() { + get_version + CONFIG_CHECK="NETFILTER" + ERROR_NETFILTER="ipset requires NETFILTER support in your kernel." + CONFIG_CHECK+=" NETFILTER_NETLINK" + ERROR_NETFILTER_NETLINK="ipset requires NETFILTER_NETLINK support in your kernel." + # It does still build without NET_NS, but it may be needed in future. + #CONFIG_CHECK="${CONFIG_CHECK} NET_NS" + #ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel." + CONFIG_CHECK+=" !PAX_CONSTIFY_PLUGIN" + ERROR_PAX_CONSTIFY_PLUGIN="ipset contains constified variables (#614896)" + + build_modules=0 + if use modules; then + if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then + if linux_chkconfig_present "IP_NF_SET" || \ + linux_chkconfig_present "IP_SET"; then #274577 + eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel." + eerror "Please either build ipset with modules USE flag disabled" + eerror "or rebuild kernel without IP_SET support and make sure" + eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ." + die "USE=modules and in-kernel ipset support detected." + else + einfo "Modular kernel detected. Gonna build kernel modules..." + build_modules=1 + fi + else + eerror "Nonmodular kernel detected, but USE=modules. Either build" + eerror "modular kernel (without IP_SET) or disable USE=modules" + die "Nonmodular kernel detected, will not build kernel modules" + fi + fi + + [[ ${build_modules} -eq 1 ]] && linux-mod-r1_pkg_setup +} + +src_configure() { + export bashcompdir="$(get_bashcompdir)" + + econf \ + --enable-bashcompl \ + $(use_with modules kmod) \ + --with-maxsets=${IP_NF_SET_MAX} \ + --with-ksource="${KV_DIR}" \ + --with-kbuild="${KV_OUT_DIR}" +} + +src_compile() { + einfo "Building userspace" + + local modlist=( xt_set=kernel/net/netfilter/ipset/:"${S}":kernel/net/netfilter/: + em_ipset=kernel/net/sched:"${S}":kernel/net/sched/:modules ) + + for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,mac,mark,port{,ip,net}},mac,net{,port{,net},iface,net}},_list_set}; do + modlist+=( ${i}=kernel/net/netfilter/ipset/:"${S}":kernel/net/netfilter/ipset ) + done + + emake + + if [[ ${build_modules} -eq 1 ]]; then + einfo "Building kernel modules" + linux-mod-r1_src_compile + fi +} + +src_install() { + einfo "Installing userspace" + default + + find "${ED}" -name '*.la' -delete || die + + newinitd "${FILESDIR}"/ipset.initd-r7 ${PN} + newconfd "${FILESDIR}"/ipset.confd-r1 ${PN} + systemd_newunit "${FILESDIR}"/ipset.systemd-r1 ${PN}.service + keepdir /var/lib/ipset + + if [[ ${build_modules} -eq 1 ]]; then + einfo "Installing kernel modules" + linux-mod-r1_src_install + fi +}
