net-firewall/ipset: backport buffer overflow fixes

This fixes an environment issue we were hitting on infra.

Signed-off-by: Sam James <sam@gentoo.org>

3 files changed, 208 insertions, 0 deletions

diff --git a/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch b/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch
new file mode 100644
index 000000000000..07d18303642e
--- /dev/null
+++ b/net-firewall/ipset/files/ipset-7.22-argv-bounds.patch
@@ -0,0 +1,36 @@
+https://git.netfilter.org/ipset/commit/?id=851cb04ffee5040f1e0063f77c3fe9bc6245e0fb
+
+From 851cb04ffee5040f1e0063f77c3fe9bc6245e0fb Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 27 Jun 2024 10:18:17 +0200
+Subject: lib: ipset: Avoid 'argv' array overstepping
+
+The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
+array size. The maximum allowed array index is therefore argc-1.
+
+This fix will leave items in argv non-NULL-terminated, so explicitly
+NULL the formerly last entry after shifting.
+
+Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
+valgrind. Yet adding debug output printing argv entries being copied
+did.
+
+Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+--- a/lib/ipset.c
++++ b/lib/ipset.c
+@@ -343,9 +343,9 @@ ipset_shift_argv(int *argc, char *argv[], int from)
+ 
+ 	assert(*argc >= from + 1);
+ 
+-	for (i = from + 1; i <= *argc; i++)
++	for (i = from + 1; i < *argc; i++)
+ 		argv[i-1] = argv[i];
+-	(*argc)--;
++	argv[--(*argc)] = NULL;
+ 	return;
+ }
+ 
+-- 
+cgit v1.2.3
diff --git a/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch b/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch
new file mode 100644
index 000000000000..56d126db5efa
--- /dev/null
+++ b/net-firewall/ipset/files/ipset-7.22-asan-buffer-overflow.patch
@@ -0,0 +1,52 @@
+https://git.netfilter.org/ipset/commit/?id=f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9
+
+From f1bcacf5eeb8620ea684524e1ce9c3951a77f1f9 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 27 Jun 2024 10:18:16 +0200
+Subject: lib: data: Fix for global-buffer-overflow warning by ASAN
+
+After compiling with CFLAGS="-fsanitize=address -g", running the
+testsuite triggers the following warning:
+
+| ipmap: Range: Check syntax error: missing range/from-to: FAILED
+| Failed test: ../src/ipset 2>.foo.err -N test ipmap
+| =================================================================
+| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8
+| READ of size 32 at 0x55a21e77172a thread T0
+|     #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
+|     #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119
+|     #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349
+|     #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819
+|     #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205
+|     #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344
+|     #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38
+|     #7 0x7f1ef224cf09  (/lib64/libc.so.6+0x23f09)
+|     #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4)
+|     #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040)
+|
+| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19
+|   '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO'
+| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10
+|   '*.LC0' is ascii string 'bitmap:ip'
+
+Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In
+contrast to strncpy(), memcpy() does not respect NUL-chars in input but
+stubbornly reads as many bytes as specified.
+
+Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+--- a/lib/data.c
++++ b/lib/data.c
+@@ -111,6 +111,9 @@ ipset_strlcpy(char *dst, const char *src, size_t len)
+ 	assert(dst);
+ 	assert(src);
+ 
++	if (strlen(src) < len)
++		len = strlen(src) + 1;
++
+ 	memcpy(dst, src, len);
+ 	dst[len - 1] = '\0';
+ }
+-- 
+cgit v1.2.3
diff --git a/net-firewall/ipset/ipset-7.22-r1.ebuild b/net-firewall/ipset/ipset-7.22-r1.ebuild
new file mode 100644
index 000000000000..bd7d4862f0d3
--- /dev/null
+++ b/net-firewall/ipset/ipset-7.22-r1.ebuild
@@ -0,0 +1,120 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+MODULES_OPTIONAL_IUSE=modules
+inherit autotools bash-completion-r1 linux-mod-r1 systemd
+
+DESCRIPTION="IPset tool for iptables, successor to ippool"
+HOMEPAGE="https://ipset.netfilter.org/ https://git.netfilter.org/ipset/"
+SRC_URI="https://ipset.netfilter.org/${P}.tar.bz2"
+
+LICENSE="GPL-2"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~x86"
+
+RDEPEND="
+	net-firewall/iptables
+	net-libs/libmnl:=
+"
+DEPEND="${RDEPEND}"
+BDEPEND="virtual/pkgconfig"
+
+DOCS=( ChangeLog INSTALL README UPGRADE )
+
+# configurable from outside, e.g. /etc/portage/make.conf
+IP_NF_SET_MAX=${IP_NF_SET_MAX:-256}
+
+PATCHES=(
+	"${FILESDIR}/${PN}-bash-completion.patch"
+	"${FILESDIR}/${P}-asan-buffer-overflow.patch"
+	"${FILESDIR}/${P}-argv-bounds.patch"
+)
+
+src_prepare() {
+	default
+	eautoreconf
+}
+
+pkg_setup() {
+	get_version
+	CONFIG_CHECK="NETFILTER"
+	ERROR_NETFILTER="ipset requires NETFILTER support in your kernel."
+	CONFIG_CHECK+=" NETFILTER_NETLINK"
+	ERROR_NETFILTER_NETLINK="ipset requires NETFILTER_NETLINK support in your kernel."
+	# It does still build without NET_NS, but it may be needed in future.
+	#CONFIG_CHECK="${CONFIG_CHECK} NET_NS"
+	#ERROR_NET_NS="ipset requires NET_NS (network namespace) support in your kernel."
+	CONFIG_CHECK+=" !PAX_CONSTIFY_PLUGIN"
+	ERROR_PAX_CONSTIFY_PLUGIN="ipset contains constified variables (#614896)"
+
+	build_modules=0
+	if use modules; then
+		if linux_config_src_exists && linux_chkconfig_builtin "MODULES" ; then
+			if linux_chkconfig_present "IP_NF_SET" || \
+				linux_chkconfig_present "IP_SET"; then #274577
+				eerror "There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel."
+				eerror "Please either build ipset with modules USE flag disabled"
+				eerror "or rebuild kernel without IP_SET support and make sure"
+				eerror "there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... ."
+				die "USE=modules and in-kernel ipset support detected."
+			else
+				einfo "Modular kernel detected. Gonna build kernel modules..."
+				build_modules=1
+			fi
+		else
+			eerror "Nonmodular kernel detected, but USE=modules. Either build"
+			eerror "modular kernel (without IP_SET) or disable USE=modules"
+			die "Nonmodular kernel detected, will not build kernel modules"
+		fi
+	fi
+
+	[[ ${build_modules} -eq 1 ]] && linux-mod-r1_pkg_setup
+}
+
+src_configure() {
+	export bashcompdir="$(get_bashcompdir)"
+
+	econf \
+		--enable-bashcompl \
+		$(use_with modules kmod) \
+		--with-maxsets=${IP_NF_SET_MAX} \
+		--with-ksource="${KV_DIR}" \
+		--with-kbuild="${KV_OUT_DIR}"
+}
+
+src_compile() {
+	einfo "Building userspace"
+
+	local modlist=( xt_set=kernel/net/netfilter/ipset/:"${S}":kernel/net/netfilter/:
+					em_ipset=kernel/net/sched:"${S}":kernel/net/sched/:modules )
+
+	for i in ip_set{,_bitmap_{ip{,mac},port},_hash_{ip{,mac,mark,port{,ip,net}},mac,net{,port{,net},iface,net}},_list_set}; do
+		modlist+=( ${i}=kernel/net/netfilter/ipset/:"${S}":kernel/net/netfilter/ipset )
+	done
+
+	emake
+
+	if [[ ${build_modules} -eq 1 ]]; then
+		einfo "Building kernel modules"
+		linux-mod-r1_src_compile
+	fi
+}
+
+src_install() {
+	einfo "Installing userspace"
+	default
+
+	find "${ED}" -name '*.la' -delete || die
+
+	newinitd "${FILESDIR}"/ipset.initd-r7 ${PN}
+	newconfd "${FILESDIR}"/ipset.confd-r1 ${PN}
+	systemd_newunit "${FILESDIR}"/ipset.systemd-r1 ${PN}.service
+	keepdir /var/lib/ipset
+
+	if [[ ${build_modules} -eq 1 ]]; then
+		einfo "Installing kernel modules"
+		linux-mod-r1_src_install
+	fi
+}