Re: [PATCH -stable,5.4] netfilter: nftables: exthdr: fix 4-byte stack OOB write

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Jun 13, 2024 at 07:14:55PM +0200, Pablo Neira Ayuso wrote:
> From: Florian Westphal <fw@xxxxxxxxx>
> 
> commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.
> 
> If priv->len is a multiple of 4, then dst[len / 4] can write past
> the destination array which leads to stack corruption.
> 
> This construct is necessary to clean the remainder of the register
> in case ->len is NOT a multiple of the register size, so make it
> conditional just like nft_payload.c does.
> 
> The bug was added in 4.1 cycle and then copied/inherited when
> tcp/sctp and ip option support was added.
> 
> Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
> ZDI-CAN-21951, ZDI-CAN-21961).
> 
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> Hi Greg, Sasha,
> 
> This backport is missing in 5.4, please apply to -stable. Thanks.
> 
>  net/netfilter/nft_exthdr.c | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)

Now queued up, thanks.

greg k-h




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux