On Thu, Aug 15, 2024 at 02:04:04AM -0700, Breno Leitao wrote: > On Thu, Aug 15, 2024 at 04:27:33PM +0800, icejl wrote: > > In the nfnetlink_rcv_batch function, an uninitialized local variable > > extack is used, which results in using random stack data as a pointer. > > This pointer is then used to access the data it points to and return > > it as the request status, leading to an information leak. If the stack > > data happens to be an invalid pointer, it can cause a pointer access > > exception, triggering a kernel crash. > > > > Signed-off-by: icejl <icejl0001@xxxxxxxxx> > > --- > > net/netfilter/nfnetlink.c | 1 + > > 1 file changed, 1 insertion(+) > > > > diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c > > index 4abf660c7baf..b29b281f4b2c 100644 > > --- a/net/netfilter/nfnetlink.c > > +++ b/net/netfilter/nfnetlink.c > > @@ -427,6 +427,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, > > > > nfnl_unlock(subsys_id); > > > > + memset(&extack, 0, sizeof(extack)); > > if (nlh->nlmsg_flags & NLM_F_ACK) > > nfnl_err_add(&err_list, nlh, 0, &extack); > > There is a memset later in that function , inside the > `while (skb->len >= nlmsg_total_size(0))` loop. Should that one be > removed? no, the batch contains a series of netlink message, each of them needs a fresh extack area which is zeroed. this pointer leak only affects the recently released 6.10, older kernels are not affected.
