APPLIED: [SRU B/F/J/HWE-5.17] netfilter: nf_queue: do not allow packet truncation below transport header offset

Stefan Bader stefan.bader at canonical.com
Mon Aug 22 15:29:19 UTC 2022 

On 16.08.22 10:53, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw at strlen.de>
> 
> Domingo Dirutigliano and Nicola Guerrera report kernel panic when
> sending nf_queue verdict with 1-byte nfta_payload attribute.
> 
> The IP/IPv6 stack pulls the IP(v6) header from the packet after the
> input hook.
> 
> If user truncates the packet below the header size, this skb_pull() will
> result in a malformed skb (skb->len < 0).
> 
> Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
> Reported-by: Domingo Dirutigliano <pwnzer0tt1 at proton.me>
> Signed-off-by: Florian Westphal <fw at strlen.de>
> Reviewed-by: Pablo Neira Ayuso <pablo at netfilter.org>
> (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164)
> CVE-2022-36946
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---

Applied to jammy,focal,bionic:linux/master-next and 
jammy:linux-hwe-5.17/hwe-5.17-next. Thanks.

-Stefan

>   net/netfilter/nfnetlink_queue.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 28efb8393591..9a82f3fc50da 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
>   }
>   
>   static int
> -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
> +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
>   {
>   	struct sk_buff *nskb;
>   
>   	if (diff < 0) {
> +		unsigned int min_len = skb_transport_offset(e->skb);
> +
> +		if (data_len < min_len)
> +			return -EINVAL;
> +
>   		if (pskb_trim(e->skb, data_len))
>   			return -ENOMEM;
>   	} else if (diff > 0) {

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20220822/0008fde4/attachment.sig>

More information about the kernel-team mailing list