)]}'
{
  "commit": "4d94631ff24e72fec6db447ec08d6444ed96b97d",
  "tree": "3a5c8891244b5b581d6e356a45c84331a538dfa3",
  "parents": [
    "947546a391fd580b4d45cc5234ba790268595a43"
  ],
  "author": {
    "name": "Florian Westphal",
    "email": "fw@strlen.de",
    "time": "Mon Oct 07 11:28:16 2024 +0200"
  },
  "committer": {
    "name": "Arnav Kansal",
    "email": "rnv@google.com",
    "time": "Thu Nov 07 01:08:56 2024 +0000"
  },
  "message": "netfilter: xtables: avoid NFPROTO_UNSPEC where needed\n\n[ Upstream commit 0bfcb7b71e735560077a42847f69597ec7dcc326 ]\n\nsyzbot managed to call xt_cluster match via ebtables:\n\n WARNING: CPU: 0 PID: 11 at net/netfilter/xt_cluster.c:72 xt_cluster_mt+0x196/0x780\n [..]\n ebt_do_table+0x174b/0x2a40\n\nModule registers to NFPROTO_UNSPEC, but it assumes ipv4/ipv6 packet\nprocessing.  As this is only useful to restrict locally terminating\nTCP/UDP traffic, register this for ipv4 and ipv6 family only.\n\nPablo points out that this is a general issue, direct users of the\nset/getsockopt interface can call into targets/matches that were only\nintended for use with ip(6)tables.\n\nCheck all UNSPEC matches and targets for similar issues:\n\n- matches and targets are fine except if they assume skb_network_header()\n  is valid -- this is only true when called from inet layer: ip(6) stack\n  pulls the ip/ipv6 header into linear data area.\n- targets that return XT_CONTINUE or other xtables verdicts must be\n  restricted too, they are incompatbile with the ebtables traverser, e.g.\n  EBT_CONTINUE is a completely different value than XT_CONTINUE.\n\nMost matches/targets are changed to register for NFPROTO_IPV4/IPV6, as\nthey are provided for use by ip(6)tables.\n\nThe MARK target is also used by arptables, so register for NFPROTO_ARP too.\n\nWhile at it, bail out if connbytes fails to enable the corresponding\nconntrack family.\n\nThis change passes the selftests in iptables.git.\n\nBUG\u003db/375751675\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2024-50038 in the Linux kernel.\n\ncos-patch: security-moderate\nReported-by: syzbot+256c348558aa5cf611a9@syzkaller.appspotmail.com\nCloses: https://lore.kernel.org/netfilter-devel/66fec2e2.050a0220.9ec68.0047.GAE@google.com/\nFixes: 0269ea493734 (\"netfilter: xtables: add cluster match\")\nChange-Id: I5534747789d3c55904ea6c063698ad752e28c52c\nSigned-off-by: Florian Westphal \u003cfw@strlen.de\u003e\nCo-developed-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/84557\nReviewed-by: Arnav Kansal \u003crnv@google.com\u003e\nReviewed-by: Kevin Berry \u003ckpberry@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "c8a639f561684107cdab4332b6c3aff30e81fdb1",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_CHECKSUM.c",
      "new_id": "9d99f5a3d1764bd84e3e04d2aca739840b0b51da",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_CHECKSUM.c"
    },
    {
      "type": "modify",
      "old_id": "0accac98dea784d48d764794b872669019721dfb",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_CLASSIFY.c",
      "new_id": "0ae8d8a1216e1921c6e8bfa91cd6a8246c48f337",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_CLASSIFY.c"
    },
    {
      "type": "modify",
      "old_id": "76acecf3e757a0fe4687f06ea2781661defac396",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_CONNSECMARK.c",
      "new_id": "1494b3ee30e11e46b7abc5761c44a787c9dfd7bc",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_CONNSECMARK.c"
    },
    {
      "type": "modify",
      "old_id": "2be2f7a7b60f4ec1d5bd5dfa4fc3a656825321ef",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_CT.c",
      "new_id": "3ba94c34297cf5e24bfd7bcbce6b6977bd7204c2",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_CT.c"
    },
    {
      "type": "modify",
      "old_id": "0f8bb0bf558f97a304860133bf781003005fa028",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_IDLETIMER.c",
      "new_id": "3f6a9770f74bad190500334a8183a9756d4b7587",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_IDLETIMER.c"
    },
    {
      "type": "modify",
      "old_id": "0371c387b0d1fa1a99ef58cc0ca13ffacfc64561",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_LED.c",
      "new_id": "211bfa2a2ac04233631024e9a65ff0b8072ac19b",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_LED.c"
    },
    {
      "type": "modify",
      "old_id": "e660c3710a10968909b98b5236536996cbb8462b",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_NFLOG.c",
      "new_id": "d80abd6ccaf8f71fa70605fef7edada827a19ceb",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_NFLOG.c"
    },
    {
      "type": "modify",
      "old_id": "80f6624e23554b30090b4a86b763ad279f5e44ac",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_RATEEST.c",
      "new_id": "4f49cfc27831204b3ce05b6fa1fd724b9ce86e2f",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_RATEEST.c"
    },
    {
      "type": "modify",
      "old_id": "498a0bf6f0444a80dd88f05299bf0a7b505dd587",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_SECMARK.c",
      "new_id": "5bc5ea505eb9e02e95d1175e8f2094f2cd5ea3b8",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_SECMARK.c"
    },
    {
      "type": "modify",
      "old_id": "5582dce98cae7d0796988d30e4b4e8e6832d6452",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_TRACE.c",
      "new_id": "f3fa4f11348cd8ad796ce94f012cd48aa7a9020f",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_TRACE.c"
    },
    {
      "type": "modify",
      "old_id": "e9b2181e8c425f24ab580ad6ff6856b8e7fd98f3",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_addrtype.c",
      "new_id": "a7708894310716f154d6c66da5ce30a909d509eb",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_addrtype.c"
    },
    {
      "type": "modify",
      "old_id": "a047a545371e18cbfa17a182ec3457a4ade2fd75",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_cluster.c",
      "new_id": "908fd5f2c3c84814a35390cd96e53a43e3759468",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_cluster.c"
    },
    {
      "type": "modify",
      "old_id": "93cb018c3055f8fb660a2558fd86cac07285d47b",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_connbytes.c",
      "new_id": "2aabdcea8707236244984357c0d079acc5ffcb39",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_connbytes.c"
    },
    {
      "type": "modify",
      "old_id": "5d04ef80a61dcf65d06a263e486fe7bb4060938f",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_connlimit.c",
      "new_id": "d1d0fa6c8061e9c9895e84746c5616934de78373",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_connlimit.c"
    },
    {
      "type": "modify",
      "old_id": "ad3c033db64e70dd642a63e9b48914fc0ac12cb9",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_connmark.c",
      "new_id": "4277084de2e70c995f49cadd411cab70473b3ad9",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_connmark.c"
    },
    {
      "type": "modify",
      "old_id": "1ad74b5920b533abb1a1814b1fd0c86511433022",
      "old_mode": 33188,
      "old_path": "net/netfilter/xt_mark.c",
      "new_id": "f76fe04fc9a4e19f18ac323349ba6f22a00eafd7",
      "new_mode": 33188,
      "new_path": "net/netfilter/xt_mark.c"
    }
  ]
}