]> git.ipfire.org Git - thirdparty/nftables.git/commitdiff
projects / thirdparty / nftables.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 071414e)
netlink: fix stack buffer overflow with sub-reg sized prefixes
authorFlorian Westphal <fw@strlen.de>
Wed, 13 Dec 2023 16:41:26 +0000 (17:41 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Wed, 22 Jan 2025 23:41:53 +0000 (00:41 +0100)
commit 600b84631410a6e853c208795246ea0c9df95c12 upstream.

The calculation of the dynamic on-stack array is incorrect,
the scratch space can be too low which gives stack corruption:

AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7ffdb454f064..
    #1 0x7fabe92aaac4 in __mpz_export_data src/gmputil.c:108
    #2 0x7fabe92d71b1 in netlink_export_pad src/netlink.c:251
    #3 0x7fabe92d91d8 in netlink_gen_prefix src/netlink.c:476

div_round_up() cannot be used here, it fails to account for register
padding.  A 16 bit prefix will need 2 registers (start, end -- 8 bytes
in total).

Remove the dynamic sizing and add an assertion in case upperlayer
ever passes invalid expr sizes down to us.

After this fix, the combination is rejected by the kernel
because of the maps' wrong data size, before the fix userspace
may crash before.

Signed-off-by: Florian Westphal <fw@strlen.de>
src/netlink.c patch | blob | blame | history
tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix [new file with mode: 0644] patch | blob

diff --git a/src/netlink.c b/src/netlink.c
index a562000f6c12e9e36ee71e965fdf499a893fce7c..0b5030fb212143c9457e4608562fc90344861f86 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -465,11 +465,14 @@ static void netlink_gen_range(const struct expr *expr,
 static void netlink_gen_prefix(const struct expr *expr,
                               struct nft_data_linearize *nld)
 {
-       unsigned int len = div_round_up(expr->len, BITS_PER_BYTE) * 2;
-       unsigned char data[len];
+       unsigned int len = (netlink_padded_len(expr->len) / BITS_PER_BYTE) * 2;
+       unsigned char data[NFT_MAX_EXPR_LEN_BYTES];
        int offset;
        mpz_t v;
 
+       if (len > sizeof(data))
+               BUG("Value export of %u bytes would overflow", len);
+
        offset = netlink_export_pad(data, expr->prefix->value, expr);
        mpz_init_bitmask(v, expr->len - expr->prefix_len);
        mpz_add(v, expr->prefix->value, v);
diff --git a/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix
new file mode 100644 (file)
index 0000000..23c2dc3
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-f/dynamic-stack-buffer-overflow_gen_prefix
@@ -0,0 +1,5 @@
+table ip test {
+       chain test {
+               tcp dport set ip daddr map { 192.168.0.1 : 0x000/0001 }
+       }
+}
Mirror of git://git.netfilter.org/nftables