git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 5 Sep 2023 21:13:56 +0000 (23:13 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 19 Sep 2023 10:23:00 +0000 (12:23 +0200)
commit	1ad7b189cc1411048434e8595ffcbe7873b71082
tree	ab85dff199344e1f8d4e6077a37f1f55d56f2a36	tree \| snapshot
parent	347f765176db50e348e40da62b6612885b42f7d8	commit \| diff

netfilter: nftables: exthdr: fix 4-byte stack OOB write

[ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>