From: Greg Kroah-Hartman Date: Wed, 19 Jun 2024 10:57:31 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v6.1.95~36 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8742cad510dedc68fa9129c91d7f279188750756;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch --- diff --git a/queue-5.4/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch b/queue-5.4/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch new file mode 100644 index 00000000000..45642309adf --- /dev/null +++ b/queue-5.4/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch @@ -0,0 +1,80 @@ +From fd94d9dadee58e09b49075240fe83423eb1dcd36 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Tue, 5 Sep 2023 23:13:56 +0200 +Subject: netfilter: nftables: exthdr: fix 4-byte stack OOB write + +From: Florian Westphal + +commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream. + +If priv->len is a multiple of 4, then dst[len / 4] can write past +the destination array which leads to stack corruption. + +This construct is necessary to clean the remainder of the register +in case ->len is NOT a multiple of the register size, so make it +conditional just like nft_payload.c does. + +The bug was added in 4.1 cycle and then copied/inherited when +tcp/sctp and ip option support was added. + +Bug reported by Zero Day Initiative project (ZDI-CAN-21950, +ZDI-CAN-21951, ZDI-CAN-21961). + +Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") +Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching") +Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") +Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_exthdr.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -33,6 +33,14 @@ static unsigned int optlen(const u8 *opt + return opt[offset + 1]; + } + ++static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len) ++{ ++ if (len % NFT_REG32_SIZE) ++ dest[len / NFT_REG32_SIZE] = 0; ++ ++ return skb_copy_bits(skb, offset, dest, len); ++} ++ + static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) +@@ -54,8 +62,7 @@ static void nft_exthdr_ipv6_eval(const s + } + offset += priv->offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; +- if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) ++ if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) + goto err; + return; + err: +@@ -151,8 +158,7 @@ static void nft_exthdr_ipv4_eval(const s + } + offset += priv->offset; + +- dest[priv->len / NFT_REG32_SIZE] = 0; +- if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) ++ if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) + goto err; + return; + err: +@@ -208,7 +214,8 @@ static void nft_exthdr_tcp_eval(const st + if (priv->flags & NFT_EXTHDR_F_PRESENT) { + *dest = 1; + } else { +- dest[priv->len / NFT_REG32_SIZE] = 0; ++ if (priv->len % NFT_REG32_SIZE) ++ dest[priv->len / NFT_REG32_SIZE] = 0; + memcpy(dest, opt + offset, priv->len); + } + diff --git a/queue-5.4/series b/queue-5.4/series index 196db51d85b..f9bcd61e28a 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -97,3 +97,4 @@ nilfs2-fix-potential-kernel-bug-due-to-lack-of-writeback-flag-waiting.patch tick-nohz_full-don-t-abuse-smp_call_function_single-in-tick_setup_device.patch hv_utils-drain-the-timesync-packets-on-onchannelcallback.patch hugetlb_encode.h-fix-undefined-behaviour-34-26.patch +netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch