Patch "netfilter: nfnetlink_queue: fix OOB when mac header was cleared" has been added to the 4.4-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 14 Nov 2021 23:11:04 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: nfnetlink_queue: fix OOB when mac header was cleared

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 390d036c03e13fe5def702b95998b76c5728a0e2
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Wed Oct 20 18:08:10 2021 +0200

    netfilter: nfnetlink_queue: fix OOB when mac header was cleared
    
    [ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ]
    
    On 64bit platforms the MAC header is set to 0xffff on allocation and
    also when a helper like skb_unset_mac_header() is called.
    
    dev_parse_header may call skb_mac_header() which assumes valid mac offset:
    
     BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90
     Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364
     Call Trace:
      memcpy+0x20/0x60
      eth_header_parse+0x75/0x90
      __nfqnl_enqueue_packet+0x1a61/0x3380
      __nf_queue+0x597/0x1300
      nf_queue+0xf/0x40
      nf_hook_slow+0xed/0x190
      nf_hook+0x184/0x440
      ip_output+0x1c0/0x2a0
      nf_reinject+0x26f/0x700
      nfqnl_recv_verdict+0xa16/0x18b0
      nfnetlink_rcv_msg+0x506/0xe70
    
    The existing code only works if the skb has a mac header.
    
    Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 54cde78c27183..ebce25080f7ff 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -486,7 +486,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
 		goto nla_put_failure;
 
 	if (indev && entskb->dev &&
-	    entskb->mac_header != entskb->network_header) {
+	    skb_mac_header_was_set(entskb)) {
 		struct nfqnl_msg_packet_hw phw;
 		int len;
 






