On 6/24/20 3:12 PM, Pablo Neira Ayuso wrote:
> CC'ing stable@xxxxxxxxxxxxxxx
>
> On Tue, Jun 09, 2020 at 10:53:22AM +0300, Vasily Averin wrote:
>> Could you please push this patch into stable@?
>> it fixes memory corruption in kernels v3.5 .. v4.10
>>
>> Lost .data_len definition leads to write beyond end of
>> struct nf_ct_h323_master. Usually it corrupts following
>> struct nf_conn_nat, however if nat is not loaded it corrupts
>> following slab object.
>>
>> In mainline this problem went away in v4.11,
>> after commit 9f0f3ebeda47 ("netfilter: helpers: remove data_len usage
>> for inkernel helpers") however many stable kernels are still affected.
>
> -stable maintainers of: 3.16, 4.4 and 4.9.
>
> Please apply this patch, thanks.
It fixes CVE-2020-14305
https://access.redhat.com/security/cve/CVE-2020-14305
>> cc: stable@xxxxxxxxxxxxxxx
>> Fixes: 1afc56794e03 ("netfilter: nf_ct_helper: implement variable length helper private data") # v3.5
>> Signed-off-by: Vasily Averin <vvs@xxxxxxxxxxxxx>
>> ---
>> net/netfilter/nf_conntrack_h323_main.c | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c
>> index f65d93639d12..29fe1e7eac88 100644
>> --- a/net/netfilter/nf_conntrack_h323_main.c
>> +++ b/net/netfilter/nf_conntrack_h323_main.c
>> @@ -1225,6 +1225,7 @@ static struct nf_conntrack_helper nf_conntrack_helper_q931[] __read_mostly = {
>> {
>> .name = "Q.931",
>> .me = THIS_MODULE,
>> + .data_len = sizeof(struct nf_ct_h323_master),
>> .tuple.src.l3num = AF_INET6,
>> .tuple.src.u.tcp.port = cpu_to_be16(Q931_PORT),
>> .tuple.dst.protonum = IPPROTO_TCP,
>> --
>> 2.17.1
>>
