APPLIED: [SRU Mantic] netfilter: nftables: exthdr: fix 4-byte stack OOB write
Stefan Bader
stefan.bader at canonical.com
Fri Sep 29 11:01:46 UTC 2023
On 14.09.23 21:06, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw at strlen.de>
>
> If priv->len is a multiple of 4, then dst[len / 4] can write past
> the destination array which leads to stack corruption.
>
> This construct is necessary to clean the remainder of the register
> in case ->len is NOT a multiple of the register size, so make it
> conditional just like nft_payload.c does.
>
> The bug was added in 4.1 cycle and then copied/inherited when
> tcp/sctp and ip option support was added.
>
> Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
> ZDI-CAN-21951, ZDI-CAN-21961).
>
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
> Signed-off-by: Florian Westphal <fw at strlen.de>
> (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36)
> CVE-2023-4881
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
> ---
Applied to mantic:linux/master-next. Thanks.
-Stefan
> net/netfilter/nft_exthdr.c | 22 ++++++++++++++--------
> 1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 7f856ceb3a66..da8c14f71ddd 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset)
> return opt[offset + 1];
> }
>
> +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
> +{
> + if (len % NFT_REG32_SIZE)
> + dest[len / NFT_REG32_SIZE] = 0;
> +
> + return skb_copy_bits(skb, offset, dest, len);
> +}
> +
> static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
> struct nft_regs *regs,
> const struct nft_pktinfo *pkt)
> @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
> }
> offset += priv->offset;
>
> - dest[priv->len / NFT_REG32_SIZE] = 0;
> - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
> goto err;
> return;
> err:
> @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
> }
> offset += priv->offset;
>
> - dest[priv->len / NFT_REG32_SIZE] = 0;
> - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
> goto err;
> return;
> err:
> @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
> if (priv->flags & NFT_EXTHDR_F_PRESENT) {
> *dest = 1;
> } else {
> - dest[priv->len / NFT_REG32_SIZE] = 0;
> + if (priv->len % NFT_REG32_SIZE)
> + dest[priv->len / NFT_REG32_SIZE] = 0;
> memcpy(dest, opt + offset, priv->len);
> }
>
> @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
> offset + ntohs(sch->length) > pkt->skb->len)
> break;
>
> - dest[priv->len / NFT_REG32_SIZE] = 0;
> - if (skb_copy_bits(pkt->skb, offset + priv->offset,
> - dest, priv->len) < 0)
> + if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
> + dest, priv->len) < 0)
> break;
> return;
> }
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 44613 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230929/b2b40590/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20230929/b2b40590/attachment-0001.sig>
More information about the kernel-team
mailing list