From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 21 Feb 2024 11:10:40 +0000 (+0100)
Subject: 4.19-stable patches
X-Git-Tag: v4.19.307~21
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bae4ae3d91e624b33c5340f47da59fcaf9c1b43d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.19-stable patches

added patches:
	netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
---

diff --git a/queue-4.19/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch b/queue-4.19/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
new file mode 100644
index 00000000000..2db0c63f793
--- /dev/null
+++ b/queue-4.19/netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch
@@ -0,0 +1,55 @@
+From c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Fri, 3 Nov 2023 09:42:51 +0300
+Subject: netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream.
+
+The problem is in nft_byteorder_eval() where we are iterating through a
+loop and writing to dst[0], dst[1], dst[2] and so on...  On each
+iteration we are writing 8 bytes.  But dst[] is an array of u32 so each
+element only has space for 4 bytes.  That means that every iteration
+overwrites part of the previous element.
+
+I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
+nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
+issue.  I think that the reason we have not detected this bug in testing
+is that most of time we only write one element.
+
+Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+[Ajay: Modified to apply on v4.19.y]
+Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_byteorder.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nft_byteorder.c
++++ b/net/netfilter/nft_byteorder.c
+@@ -41,19 +41,20 @@ static void nft_byteorder_eval(const str
+ 
+ 	switch (priv->size) {
+ 	case 8: {
++		u64 *dst64 = (void *)dst;
+ 		u64 src64;
+ 
+ 		switch (priv->op) {
+ 		case NFT_BYTEORDER_NTOH:
+ 			for (i = 0; i < priv->len / 8; i++) {
+ 				src64 = get_unaligned((u64 *)&src[i]);
+-				put_unaligned_be64(src64, &dst[i]);
++				put_unaligned_be64(src64, &dst64[i]);
+ 			}
+ 			break;
+ 		case NFT_BYTEORDER_HTON:
+ 			for (i = 0; i < priv->len / 8; i++) {
+ 				src64 = get_unaligned_be64(&src[i]);
+-				put_unaligned(src64, (u64 *)&dst[i]);
++				put_unaligned(src64, &dst64[i]);
+ 			}
+ 			break;
+ 		}
diff --git a/queue-4.19/series b/queue-4.19/series
index d935fc45c41..90dde3dacb5 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -199,3 +199,4 @@ sched-membarrier-reduce-the-ability-to-hammer-on-sys_membarrier.patch
 nilfs2-fix-potential-bug-in-end_buffer_async_write.patch
 nilfs2-replace-warn_ons-for-invalid-dat-metadata-block-requests.patch
 lsm-new-security_file_ioctl_compat-hook.patch
+netfilter-nf_tables-fix-pointer-math-issue-in-nft_byteorder_eval.patch