On Thu, Aug 15, 2024 at 04:27:33PM +0800, icejl wrote: > In the nfnetlink_rcv_batch function, an uninitialized local variable > extack is used, which results in using random stack data as a pointer. > This pointer is then used to access the data it points to and return > it as the request status, leading to an information leak. If the stack > data happens to be an invalid pointer, it can cause a pointer access > exception, triggering a kernel crash. > > Signed-off-by: icejl <icejl0001@xxxxxxxxx> > --- > net/netfilter/nfnetlink.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c > index 4abf660c7baf..b29b281f4b2c 100644 > --- a/net/netfilter/nfnetlink.c > +++ b/net/netfilter/nfnetlink.c > @@ -427,6 +427,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, > > nfnl_unlock(subsys_id); > > + memset(&extack, 0, sizeof(extack)); > if (nlh->nlmsg_flags & NLM_F_ACK) > nfnl_err_add(&err_list, nlh, 0, &extack); There is a memset later in that function , inside the `while (skb->len >= nlmsg_total_size(0))` loop. Should that one be removed?
