CVE-2024-57947

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> netfilter: nf_set_pipapo: fix initial map fill<br /> <br /> The initial buffer has to be inited to all-ones, but it must restrict<br /> it to the size of the first field, not the total field size.<br /> <br /> After each round in the map search step, the result and the fill map<br /> are swapped, so if we have a set where f-&gt;bsize of the first element<br /> is smaller than m-&gt;bsize_max, those one-bits are leaked into future<br /> rounds result map.<br /> <br /> This makes pipapo find an incorrect matching results for sets where<br /> first field size is not the largest.<br /> <br /> Followup patch adds a test case to nft_concat_range.sh selftest script.<br /> <br /> Thanks to Stefano Brivio for pointing out that we need to zero out<br /> the remainder explicitly, only correcting memset() argument isn&amp;#39;t enough.