Inconsistency about backports to stable series for 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.")?
Hi Pablo,
While checking netfilter backports to the stable series, I noticed that 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.") was backported in various series for stable, and included in 4.14.316, 4.19.284, 5.4.244, 5.15.32, 5.16.18, 5.17.1, where the original fix was in 5.18-rc1.
While the commit has
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
the 6e1acfa387b9 change got not backported to the 5.10.y series.
The backports to the other series are
https://lore.kernel.org/stable/20230516151606.4892-1-pablo@netfilter.org/ https://lore.kernel.org/stable/20230516150613.4566-1-pablo@netfilter.org/ https://lore.kernel.org/stable/20230516144435.4010-1-pablo@netfilter.org/
Pablo, was this an oversight and can the change as well be applied to 5.10.y?
From looking at the 5.4.y series, from the stable dependencies, 08a01c11a5bb ("netfilter: nftables: statify nft_parse_register()") is missing in 5.10.y, then 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.") can be applied (almost, the comment needs to be dropped, as done in the backports).
I'm right now not understanding what I'm missing that it was for 5.4.y but not 5.10.y after the report of the failed apply by Greg.
At least the two attached bring 5.10.y inline with 5.4.y up to 4) from https://lore.kernel.org/stable/20230516144435.4010-1-pablo@netfilter.org/ but I'm unsure if you want/need as well the remaining 5), 6), 7), 8) and 9).
Regards, Salvatore
Hi,
On Sun, Jun 25, 2023 at 05:08:32PM +0200, Salvatore Bonaccorso wrote:
Hi Pablo,
While checking netfilter backports to the stable series, I noticed that 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.") was backported in various series for stable, and included in 4.14.316, 4.19.284, 5.4.244, 5.15.32, 5.16.18, 5.17.1, where the original fix was in 5.18-rc1.
While the commit has
Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
the 6e1acfa387b9 change got not backported to the 5.10.y series.
The backports to the other series are
https://lore.kernel.org/stable/20230516151606.4892-1-pablo@netfilter.org/ https://lore.kernel.org/stable/20230516150613.4566-1-pablo@netfilter.org/ https://lore.kernel.org/stable/20230516144435.4010-1-pablo@netfilter.org/
Pablo, was this an oversight and can the change as well be applied to 5.10.y?
From looking at the 5.4.y series, from the stable dependencies, 08a01c11a5bb ("netfilter: nftables: statify nft_parse_register()") is missing in 5.10.y, then 6e1acfa387b9 ("netfilter: nf_tables: validate registers coming from userspace.") can be applied (almost, the comment needs to be dropped, as done in the backports).
I'm right now not understanding what I'm missing that it was for 5.4.y but not 5.10.y after the report of the failed apply by Greg.
At least the two attached bring 5.10.y inline with 5.4.y up to 4) from https://lore.kernel.org/stable/20230516144435.4010-1-pablo@netfilter.org/ but I'm unsure if you want/need as well the remaining 5), 6), 7), 8) and 9).
Let me take a look, I can prepare a batch for 5.10.y based on 5.4.y as you suggest. I'll keep you on Cc.
linux-stable-mirror@lists.linaro.org
-
Pablo Neira Ayuso -
Salvatore Bonaccorso