Commit 006b199f authored by Florian Westphal's avatar Florian Westphal Committed by Zhengchao Shao
Browse files

netfilter: nftables: exthdr: fix 4-byte stack OOB write 

mainline inclusion
from mainline-v6.6-rc1
commit fd94d9da
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I80I0G
CVE: CVE-2023-4881

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=fd94d9dadee58e09b49075240fe83423eb1dcd36



--------------------------------

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f64 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203 ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>

Conflicts:
	net/netfilter/nft_exthdr.c

Signed-off-by: default avatarZhengchao Shao <shaozhengchao@huawei.com>
parent 518d7451

net/netfilter/nft_exthdr.c

+12 −5
Original line number Diff line number Diff line
@@ -33,6 +33,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) 
		return opt[offset + 1];

}



static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)

{

	if (len % NFT_REG32_SIZE)

		dest[len / NFT_REG32_SIZE] = 0;



	return skb_copy_bits(skb, offset, dest, len);

}



static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,

				 struct nft_regs *regs,

				 const struct nft_pktinfo *pkt)
@@ -54,8 +62,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, 
	}

	offset += priv->offset;



	dest[priv->len / NFT_REG32_SIZE] = 0;

	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)

	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)

		goto err;

	return;

err:
@@ -151,8 +158,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, 
	}

	offset += priv->offset;



	dest[priv->len / NFT_REG32_SIZE] = 0;

	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)

	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)

		goto err;

	return;

err:
@@ -208,6 +214,7 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, 
		if (priv->flags & NFT_EXTHDR_F_PRESENT) {

			*dest = 1;

		} else {

			if (priv->len % NFT_REG32_SIZE)

				dest[priv->len / NFT_REG32_SIZE] = 0;

			memcpy(dest, opt + offset, priv->len);

		}