Patch "netfilter: nfnetlink_osf: avoid OOB read" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Wed, 13 Sep 2023 21:31:54 -0400

This is a note to let you know that I've just added the patch titled

    netfilter: nfnetlink_osf: avoid OOB read

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nfnetlink_osf-avoid-oob-read.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d9a8903f2b281a996b0df040ae6afe8f4b28b115
Author: Wander Lairson Costa <wander@xxxxxxxxxx>
Date:   Fri Sep 1 10:50:20 2023 -0300

    netfilter: nfnetlink_osf: avoid OOB read
    
    [ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ]
    
    The opt_num field is controlled by user mode and is not currently
    validated inside the kernel. An attacker can take advantage of this to
    trigger an OOB read and potentially leak information.
    
    BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
    Read of size 2 at addr ffff88804bc64272 by task poc/6431
    
    CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
    Call Trace:
     nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
     nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
     nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
     expr_call_ops_eval net/netfilter/nf_tables_core.c:214
     nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
     nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
     [..]
    
    Also add validation to genre, subtype and version fields.
    
    Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
    Reported-by: Lucas Leong <wmliang@infosec.exchange>
    Signed-off-by: Wander Lairson Costa <wander@xxxxxxxxxx>
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 9dbaa5ce24e51..573a372e760f4 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -316,6 +316,14 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl,
 
 	f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
 
+	if (f->opt_num > ARRAY_SIZE(f->opt))
+		return -EINVAL;
+
+	if (!memchr(f->genre, 0, MAXGENRELEN) ||
+	    !memchr(f->subtype, 0, MAXGENRELEN) ||
+	    !memchr(f->version, 0, MAXGENRELEN))
+		return -EINVAL;
+
 	kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
 	if (!kf)
 		return -ENOMEM;






