4.19-stable patches

added patches:
	netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch

diff --git a/queue-4.19/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch b/queue-4.19/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
new file mode 100644 (file)
index 0000000..2db0c63
--- /dev/null
+++ b/queue-4.19/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
@@ -0,0 +1,55 @@
+From c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 3 Nov 2023 09:42:51 +0300
+Subject: netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream.
+
+The problem is in nft_byteorder_eval() where we are iterating through a
+loop and writing to dst[0], dst[1], dst[2] and so on...  On each
+iteration we are writing 8 bytes.  But dst[] is an array of u32 so each
+element only has space for 4 bytes.  That means that every iteration
+overwrites part of the previous element.
+
+I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
+nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
+issue.  I think that the reason we have not detected this bug in testing
+is that most of time we only write one element.
+
+Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[Ajay: Modified to apply on v4.19.y]
+Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_byteorder.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_byteorder.c
++++ b/net/netfilter/nft_byteorder.c
+@@ -41,19 +41,20 @@ static void nft_byteorder_eval(const str
+ 
+       switch (priv->size) {
+       case 8: {
++              u64 *dst64 = (void *)dst;
+               u64 src64;
+ 
+               switch (priv->op) {
+               case NFT_BYTEORDER_NTOH:
+                       for (i = 0; i < priv->len / 8; i++) {
+                               src64 = get_unaligned((u64 *)&src[i]);
+-                              put_unaligned_be64(src64, &dst[i]);
++                              put_unaligned_be64(src64, &dst64[i]);
+                       }
+                       break;
+               case NFT_BYTEORDER_HTON:
+                       for (i = 0; i < priv->len / 8; i++) {
+                               src64 = get_unaligned_be64(&src[i]);
+-                              put_unaligned(src64, (u64 *)&dst[i]);
++                              put_unaligned(src64, &dst64[i]);
+                       }
+                       break;
+               }

diff --git a/queue-4.19/series b/queue-4.19/series
index d935fc45c41bedf113724df93c9ae0cff86f4f60..90dde3dacb5e9801374e45c16d6a593bc14b643c 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -199,3 +199,4 @@ sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch
 nilfs2-fix-potential-bug-in-end_buffer_async_write.patch
 nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch
 lsm-new-security_file_ioctl_compat-hook.patch
+netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch