Ubuntu
linux-bluefield package

Fix ct_state nat matching and nat action not being executed

Bug #1957807 reported by Bodong Wang on 2022-01-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux-bluefield (Ubuntu)	Invalid	Undecided	Unassigned
	Focal	Fix Released	Undecided	Unassigned

Bug Description

* Explain the bug

Netfilter conntrack maintains NAT flags per connection indicating
whether NAT was configured for the connection. Openvswitch maintains
NAT flags on the per packet flow key ct_state field, indicating
whether NAT was actually executed on the packet.

When a packet misses from tc to ovs the conntrack NAT flags are set.
However, NAT was not necessarily executed on the packet because the
connection's state might still be in NEW state. As such, openvswitch
wrongly assumes that NAT was executed and sets an incorrect flow key
NAT flags.

This can lead to incorrect matching on ct_state nat flags, and nat not being executed
by ovs.

* How to test

Create OVS bridge (br-ovs below) with 2 devices $dev1, $dev2 (can be any devices), with hw offload enabled.
Configure NAT connection tracking OpenFlow rules which would only be partially offloaded to tc/hw
because of dp_hash/hash (groups in openflow) not being offloaded, so we would have misses from tc to ovs:

    ovs-ofctl del-flows br-ovs
    ovs-ofctl add-flow br-ovs arp,actions=normal
    ovs-ofctl -O OpenFlow12 add-group ovs-br \
         'group_id=2,type=select,bucket=ct(table=4,zone=5,nat(src=1.1.1.128),commit)'

#rules
ovs-ofctl del-flows ovs-br

ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, nw_src=1.1.1.1 actions=ct(zone=5,table=1,nat)"

ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"

ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.128 actions=2" #good flow
ovs-ofctl add-flow ovs-br "table=4, ip, nw_src=1.1.1.1 actions=drop" #bad flow

Run single sided UDP traffic from $dev1 to $dev2, and observe source nat not being done,
and hit of drop rule in table=4.

With the fix, the src nat will be done, and table=4 rule which matches new ip (128) will be hit.

* What it could break.

CVE References

Luke Nowakowski-Krijger (lukenow) on 2022-02-09

Changed in linux-bluefield (Ubuntu):
status:	New → Fix Committed

Kleber Sacilotto de Souza (kleber-souza) on 2022-02-10

Changed in linux-bluefield (Ubuntu Focal):
status:	New → Fix Committed
Changed in linux-bluefield (Ubuntu):
status:	Fix Committed → Invalid

Revision history for this message

Launchpad Janitor (janitor) wrote on 2022-02-22:

Download full text (17.9 KiB)

This bug was fixed in the package linux-bluefield - 5.4.0-1028.31

---------------
linux-bluefield (5.4.0-1028.31) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1028.31 -proposed tracker (LP: #1959252)

  * Support CIFS for CUDA (LP: #1958299)
    - [Config] bluefield: CONFIG_CIFS=m
    - [Config] bluefield: Additional config options for CIFS

  * Fix ct_state nat matching and nat action not being executed (LP: #1957807)
    - net: zero-initialize tc skb extension on allocation
    - net/sched: Extend qdisc control block with tc control block
    - net/sched: flow_dissector: Fix matching on zone id for invalid conns
    - net: openvswitch: Fix matching zone id for invalid conns arriving from tc
    - net: openvswitch: Fix ct_state nat flags for conns arriving from tc

* Fix sprintf usage that may lead to buffer overflow (LP: #1959119)
- SAUCE: Fix references to sprintf that may cause buffer overflow

[ Ubuntu: 5.4.0-100.113 ]

This bug was fixed in the package linux-bluefield - 5.4.0-1028.31

---------------
linux-bluefield (5.4.0-1028.31) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1028.31 -proposed tracker (LP: #1959252)

* Support CIFS for CUDA (LP: #1958299)
    - [Config] bluefield: CONFIG_CIFS=m
    - [Config] bluefield: Additional config options for CIFS

* Fix ct_state nat matching and nat action not being executed  (LP: #1957807)
    - net: zero-initialize tc skb extension on allocation
    - net/sched: Extend qdisc control block with tc control block
    - net/sched: flow_dissector: Fix matching on zone id for invalid conns
    - net: openvswitch: Fix matching zone id for invalid conns arriving from tc
    - net: openvswitch: Fix ct_state nat flags for conns arriving from tc

* Fix sprintf usage that may lead to buffer overflow (LP: #1959119)
    - SAUCE: Fix references to sprintf that may cause buffer overflow

[ Ubuntu: 5.4.0-100.113 ]

* focal/linux: 5.4.0-100.113 -proposed tracker (LP: #1959900)
  * CVE-2022-22942
    - SAUCE: drm/vmwgfx: Fix stale file descriptors on failed usercopy
  * CVE-2022-0330
    - drm/i915: Flush TLBs before releasing backing store
  * Focal update: v5.4.166 upstream stable release (LP: #1957008)
    - netfilter: selftest: conntrack_vrf.sh: fix file permission
    - Linux 5.4.166
    - net/packet: rx_owner_map depends on pg_vec
    - USB: gadget: bRequestType is a bitfield, not a enum
    - HID: holtek: fix mouse probing
    - udp: using datalen to cap ipv6 udp max gso segments
    - selftests: Calculate udpgso segment count without header adjustment
  * Focal update: v5.4.165 upstream stable release (LP: #1957007)
    - serial: tegra: Change lower tolerance baud rate limit for tegra20 and
      tegra30
    - ntfs: fix ntfs_test_inode and ntfs_init_locked_inode function type
    - HID: quirks: Add quirk for the Microsoft Surface 3 type-cover
    - HID: google: add eel USB id
    - HID: add hid_is_usb() function to make it simpler for USB detection
    - HID: add USB_HID dependancy to hid-prodikeys
    - HID: add USB_HID dependancy to hid-chicony
    - HID: add USB_HID dependancy on some USB HID drivers
    - HID: bigbenff: prevent null pointer dereference
    - HID: wacom: fix problems when device is not a valid USB device
    - HID: check for valid USB device for many HID drivers
    - can: kvaser_usb: get CAN clock frequency from device
    - can: kvaser_pciefd: kvaser_pciefd_rx_error_frame(): increase correct
      stats->{rx,tx}_errors counter
    - can: sja1000: fix use after free in ems_pcmcia_add_card()
    - nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
    - selftests: netfilter: add a vrf+conntrack testcase
    - vrf: don't run conntrack on vrf with !dflt qdisc
    - bpf: Fix the off-by-two error in range markings
    - ice: ignore dropped packets during init
    - bonding: make tx_rebalance_counter an atomic
    - nfp: Fix memory leak in nfp_cpp_area_cache_add()
    - seg6: fix the iif in the IPv6 socket control block
    - udp: using datalen to cap max gso segments
    - iavf: restore MSI state on reset
    - iavf: Fix reporting when setting descriptor count
    - IB/hfi1: Correct guard on eager buffer deallocation
    - mm: bdi: initialize bdi_min_ratio when bdi is unregistered
    - ALSA: ctl: Fix copy of updated id with element read/write
    - ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
    - ALSA: pcm: oss: Fix negative period/buffer sizes
    - ALSA: pcm: oss: Limit the period size to 16MB
    - ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
    - btrfs: clear extent buffer uptodate when we fail to write it
    - btrfs: replace the BUG_ON in btrfs_del_root_ref with proper error handling
    - nfsd: Fix nsfd startup race (again)
    - tracefs: Have new files inherit the ownership of their parent
    - clk: qcom: regmap-mux: fix parent clock lookup
    - drm/syncobj: Deal with signalled fences in drm_syncobj_find_fence.
    - can: pch_can: pch_can_rx_normal: fix use after free
    - can: m_can: Disable and ignore ELO interrupt
    - x86/sme: Explicitly map new EFI memmap table as encrypted
    - libata: add horkage for ASMedia 1092
    - wait: add wake_up_pollfree()
    - SAUCE: binder: export __wake_up_pollfree for binder module
    - binder: use wake_up_pollfree()
    - signalfd: use wake_up_pollfree()
    - aio: keep poll requests on waitqueue until completed
    - aio: fix use-after-free due to missing POLLFREE handling
    - tracefs: Set all files to the same group ownership as the mount option
    - block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
    - qede: validate non LSO skb length
    - ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer
    - i40e: Fix failed opcode appearing if handling messages from VF
    - i40e: Fix pre-set max number of queues for VF
    - mtd: rawnand: fsmc: Take instruction delay into account
    - mtd: rawnand: fsmc: Fix timing computation
    - dt-bindings: net: Reintroduce PHY no lane swap binding
    - tools build: Remove needless libpython-version feature check that breaks
      test-all fast path
    - net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
    - net: altera: set a couple error code in probe()
    - net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
    - net, neigh: clear whole pneigh_entry at alloc time
    - net/qla3xxx: fix an error code in ql_adapter_up()
    - Revert "UBUNTU: SAUCE: selftests: fib_tests: assign address to dummy1 for
      rp_filter tests"
    - selftests/fib_tests: Rework fib_rp_filter_test()
    - USB: gadget: detect too-big endpoint 0 requests
    - USB: gadget: zero allocate endpoint 0 buffers
    - usb: core: config: fix validation of wMaxPacketValue entries
    - xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime
      suspending
    - usb: core: config: using bit mask instead of individual bits
    - xhci: avoid race between disable slot command and host runtime suspend
    - iio: trigger: Fix reference counting
    - iio: trigger: stm32-timer: fix MODULE_ALIAS
    - iio: stk3310: Don't return error code in interrupt handler
    - iio: mma8452: Fix trigger reference couting
    - iio: ltr501: Don't return error code in trigger handler
    - iio: kxsd9: Don't return error code in trigger handler
    - iio: itg3200: Call iio_trigger_notify_done() on error
    - iio: dln2-adc: Fix lockdep complaint
    - iio: dln2: Check return value of devm_iio_trigger_register()
    - iio: at91-sama5d2: Fix incorrect sign extension
    - iio: adc: axp20x_adc: fix charging current reporting on AXP22x
    - iio: ad7768-1: Call iio_trigger_notify_done() on error
    - iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
    - irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc()
    - irqchip/armada-370-xp: Fix support for Multi-MSI interrupts
    - irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
    - irqchip: nvic: Fix offset for Interrupt Priority Offsets
    - misc: fastrpc: fix improper packet size calculation
    - bpf: Add selftests to cover packet access corner cases
    - Linux 5.4.165
  * Focal update: v5.4.164 upstream stable release (LP: #1956381)
    - NFSv42: Fix pagecache invalidation after COPY/CLONE
    - of: clk: Make <linux/of_clk.h> self-contained
    - arm64: dts: mcbin: support 2W SFP modules
    - can: j1939: j1939_tp_cmd_recv(): check the dst address of TP.CM_BAM
    - gfs2: Fix length of holes reported at end-of-file
    - drm/sun4i: fix unmet dependency on RESET_CONTROLLER for PHY_SUN6I_MIPI_DPHY
    - mac80211: do not access the IV when it was stripped
    - net/smc: Transfer remaining wait queue entries during fallback
    - atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
    - net: return correct error code
    - platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
    - s390/setup: avoid using memblock_enforce_memory_limit
    - btrfs: check-integrity: fix a warning on write caching disabled disk
    - thermal: core: Reset previous low and high trip during thermal zone init
    - scsi: iscsi: Unblock session then wake up error handler
    - ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile
    - ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in
      hns_dsaf_ge_srst_by_port()
    - net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of
      bound
    - net: ethernet: dec: tulip: de4x5: fix possible array overflows in
      type3_infoblock()
    - perf hist: Fix memory leak of a perf_hpp_fmt
    - perf report: Fix memory leaks around perf_tip()
    - net/smc: Avoid warning of possible recursive locking
    - vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit
    - kprobes: Limit max data_size of the kretprobe instances
    - rt2x00: do not mark device gone on EPROTO errors during start
    - cpufreq: Fix get_cpu_device() failure in add_cpu_dev_symlink()
    - s390/pci: move pseudo-MMIO to prevent MIO overlap
    - sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
    - sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
    - i2c: stm32f7: flush TX FIFO upon transfer errors
    - i2c: stm32f7: recover the bus on access timeout
    - i2c: stm32f7: stop dma transfer in case of NACK
    - i2c: cbus-gpio: set atomic transfer callback
    - natsemi: xtensa: fix section mismatch warnings
    - net: qlogic: qlcnic: Fix a NULL pointer dereference in
      qlcnic_83xx_add_rings()
    - net: mpls: Fix notifications when deleting a device
    - siphash: use _unaligned version by default
    - net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources()
    - selftests: net: Correct case name
    - rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer()
    - net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ
      is available
    - net: marvell: mvpp2: Fix the computation of shared CPUs
    - net: annotate data-races on txq->xmit_lock_owner
    - ipv4: convert fib_num_tclassid_users to atomic_t
    - net/rds: correct socket tunable error in rds_tcp_tune()
    - net/smc: Keep smc_close_final rc during active close
    - drm/msm: Do hw_init() before capturing GPU state
    - ipv6: fix memory leak in fib6_rule_suppress
    - KVM: x86/pmu: Fix reserved bits for AMD PerfEvtSeln register
    - sched/uclamp: Fix rq->uclamp_max not set on first enqueue
    - parisc: Fix KBUILD_IMAGE for self-extracting kernel
    - parisc: Fix "make install" on newer debian releases
    - vgacon: Propagate console boot parameters before calling `vc_resize'
    - xhci: Fix commad ring abort, write all 64 bits to CRCR register.
    - USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub
    - usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect
    - x86/tsc: Add a timer to make sure TSC_adjust is always checked
    - x86/tsc: Disable clocksource watchdog for TSC on qualified platorms
    - x86/64/mm: Map all kernel memory into trampoline_pgd
    - tty: serial: msm_serial: Deactivate RX DMA for polling support
    - serial: pl011: Add ACPI SBSA UART match id
    - serial: core: fix transmit-buffer reset and memleak
    - serial: 8250_pci: Fix ACCES entries in pci_serial_quirks array
    - serial: 8250_pci: rewrite pericom_do_set_divisor()
    - iwlwifi: mvm: retry init flow if failed
    - parisc: Mark cr16 CPU clocksource unstable on all SMP machines
    - net/tls: Fix authentication failure in CCM mode
    - Linux 5.4.164
  * Focal update: v5.4.163 upstream stable release (LP: #1956380)
    - USB: serial: option: add Telit LE910S1 0x9200 composition
    - USB: serial: option: add Fibocom FM101-GL variants
    - usb: dwc2: gadget: Fix ISOC flow for elapsed frames
    - usb: dwc2: hcd_queue: Fix use of floating point literal
    - net: nexthop: fix null pointer dereference when IPv6 is not enabled
    - usb: typec: fusb302: Fix masking of comparator and bc_lvl interrupts
    - usb: hub: Fix usb enumeration issue due to address0 race
    - usb: hub: Fix locking issues with address0_mutex
    - binder: fix test regression due to sender_euid change
    - ALSA: ctxfi: Fix out-of-range access
    - media: cec: copy sequence field for the reply
    - HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts
    - staging/fbtft: Fix backlight
    - staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
    - xen: don't continue xenstore initialization in case of errors
    - xen: detect uninitialized xenbus in xenbus_init
    - KVM: PPC: Book3S HV: Prevent POWER7/8 TLB flush flushing SLB
    - tracing/uprobe: Fix uprobe_perf_open probes iteration
    - tracing: Fix pid filtering when triggers are attached
    - mmc: sdhci: Fix ADMA for PAGE_SIZE >= 64KiB
    - mdio: aspeed: Fix "Link is Down" issue
    - PCI: aardvark: Deduplicate code in advk_pcie_rd_conf()
    - PCI: aardvark: Wait for endpoint to be ready before training link
    - PCI: aardvark: Fix big endian support
    - PCI: aardvark: Train link immediately after enabling training
    - PCI: aardvark: Improve link training
    - PCI: aardvark: Issue PERST via GPIO
    - PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros
    - PCI: aardvark: Don't touch PCIe registers if no card connected
    - PCI: aardvark: Fix compilation on s390
    - PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link()
    - PCI: aardvark: Update comment about disabling link training
    - PCI: pci-bridge-emul: Fix array overruns, improve safety
    - PCI: aardvark: Configure PCIe resources from 'ranges' DT property
    - PCI: aardvark: Fix PCIe Max Payload Size setting
    - PCI: aardvark: Implement re-issuing config requests on CRS response
    - PCI: aardvark: Simplify initialization of rootcap on virtual bridge
    - PCI: aardvark: Fix link training
    - PCI: aardvark: Fix support for bus mastering and PCI_COMMAND on emulated
      bridge
    - PCI: aardvark: Set PCI Bridge Class Code to PCI Bridge
    - PCI: aardvark: Fix support for PCI_BRIDGE_CTL_BUS_RESET on emulated bridge
    - pinctrl: armada-37xx: Correct PWM pins definitions
    - arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function
    - proc/vmcore: fix clearing user buffer by properly using clear_user()
    - netfilter: ipvs: Fix reuse connection if RS weight is 0
    - ARM: dts: BCM5301X: Fix I2C controller interrupt
    - ARM: dts: BCM5301X: Add interrupt properties to GPIO node
    - ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer
    - ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
    - net: ieee802154: handle iftypes as u32
    - firmware: arm_scmi: pm: Propagate return value to caller
    - NFSv42: Don't fail clone() unless the OP_CLONE operation failed
    - ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
    - scsi: mpt3sas: Fix kernel panic during drive powercycle test
    - drm/vc4: fix error code in vc4_create_object()
    - iavf: Prevent changing static ITR values if adaptive moderation is on
    - ipv6: fix typos in __ip6_finish_output()
    - nfp: checking parameter process for rx-usecs/tx-usecs is invalid
    - net: ipv6: add fib6_nh_release_dsts stub
    - net: nexthop: release IPv6 per-cpu dsts when replacing a nexthop group
    - scsi: core: sysfs: Fix setting device state to SDEV_RUNNING
    - net/smc: Ensure the active closing peer first closes clcsock
    - nvmet-tcp: fix incomplete data digest send
    - net/ncsi : Add payload to be 32-bit aligned to fix dropped packets
    - PM: hibernate: use correct mode for swsusp_close()
    - tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited
      flows
    - nvmet: use IOCB_NOWAIT only if the filesystem supports it
    - igb: fix netpoll exit with traffic
    - MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48
    - net: vlan: fix underflow for the real_dev refcnt
    - net/smc: Don't call clcsock shutdown twice when smc shutdown
    - net: hns3: fix VF RSS failed problem after PF enable multi-TCs
    - net: mscc: ocelot: don't downgrade timestamping RX filters in SIOCSHWTSTAMP
    - net: mscc: ocelot: correctly report the timestamping RX filters in ethtool
    - f2fs: set SBI_NEED_FSCK flag when inconsistent node block found
    - smb3: do not error on fsync when readonly
    - vhost/vsock: fix incorrect used length reported to the guest
    - tracing: Check pid filtering when creating events
    - s390/mm: validate VMA in PGSTE manipulation functions
    - shm: extend forced shm destroy to support objects from several IPC nses
    - NFC: add NCI_UNREG flag to eliminate the race
    - fuse: release pipe buf after last use
    - xen: sync include/xen/interface/io/ring.h with Xen's newest version
    - xen/blkfront: read response from backend only once
    - xen/blkfront: don't take local copy of a request from the ring page
    - xen/blkfront: don't trust the backend response data blindly
    - xen/netfront: read response from backend only once
    - xen/netfront: don't read data from request on the ring page
    - xen/netfront: disentangle tx_skb_freelist
    - xen/netfront: don't trust the backend response data blindly
    - tty: hvc: replace BUG_ON() with negative return value
    - Linux 5.4.163
  * net/mlx5e: EPERM on vlan 0 programming (LP: #1957753)
    - net/mlx5e: Unblock setting vid 0 for VF in case PF isn't eswitch manager
  * CVE-2021-4083
    - fget: check that the fd still exists after getting a ref to it
  * CVE-2021-4155
    - xfs: map unwritten blocks in XFS_IOC_{ALLOC, FREE}SP just like fallocate

linux-bluefield (5.4.0-1027.30) focal; urgency=medium

* focal/linux-bluefield: 5.4.0-1027.30 -proposed tracker (LP: #1959791)

[ Ubuntu: 5.4.0-99.112 ]

* focal/linux: 5.4.0-99.112 -proposed tracker (LP: #1959817)
  * linux-image-5.4.0-97.110 freezes by accessing cifs shares (LP: #1959665)
    - Revert "cifs: To match file servers, make sure the server hostname matches"
    - Revert "cifs: set a minimum of 120s for next dns resolution"
    - Revert "cifs: use the expiry output of dns_query to schedule next
      resolution"

-- Zachary Tahenakos <zachary.tahenakos@canonical.com>  Wed, 09 Feb 2022 11:03:47 -0500

Changed in linux-bluefield (Ubuntu Focal):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux-bluefield package