For the record: https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git/commit/?id=d1a7b382a9d3f0f3e5a80e0be2991c075fa4f618 Fixes: bf2ac490d28c ("netfilter: nfnetlink: Handle ACK flags for batch messages") On Thu, Aug 15, 2024 at 10:32:11AM +0200, Pablo Neira Ayuso wrote: > There is a fix already traveling for this in a pull request. > > On Thu, Aug 15, 2024 at 04:27:33PM +0800, icejl wrote: > > In the nfnetlink_rcv_batch function, an uninitialized local variable > > extack is used, which results in using random stack data as a pointer. > > This pointer is then used to access the data it points to and return > > it as the request status, leading to an information leak. If the stack > > data happens to be an invalid pointer, it can cause a pointer access > > exception, triggering a kernel crash. > > > > Signed-off-by: icejl <icejl0001@xxxxxxxxx> > > --- > > net/netfilter/nfnetlink.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c > > index 4abf660c7baf..b29b281f4b2c 100644 > > --- a/net/netfilter/nfnetlink.c > > +++ b/net/netfilter/nfnetlink.c > > @@ -427,6 +427,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, > > > > nfnl_unlock(subsys_id); > > > > + memset(&extack, 0, sizeof(extack)); > > if (nlh->nlmsg_flags & NLM_F_ACK) > > nfnl_err_add(&err_list, nlh, 0, &extack); > > > > -- > > 2.34.1 > >
