On Thu, Jun 13, 2024 at 07:14:55PM +0200, Pablo Neira Ayuso wrote:
> From: Florian Westphal <fw@xxxxxxxxx>
>
> commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.
>
> If priv->len is a multiple of 4, then dst[len / 4] can write past
> the destination array which leads to stack corruption.
>
> This construct is necessary to clean the remainder of the register
> in case ->len is NOT a multiple of the register size, so make it
> conditional just like nft_payload.c does.
>
> The bug was added in 4.1 cycle and then copied/inherited when
> tcp/sctp and ip option support was added.
>
> Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
> ZDI-CAN-21951, ZDI-CAN-21961).
>
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> Hi Greg, Sasha,
>
> This backport is missing in 5.4, please apply to -stable. Thanks.
>
> net/netfilter/nft_exthdr.c | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
Now queued up, thanks.
greg k-h
