Commit 51f8ea3f authored Sep 02, 2024 by Pablo Neira Ayuso Committed by Zhang Changzhong Sep 02, 2024

netfilter: ctnetlink: use helper function to calculate expect ID

stable inclusion
from stable-v4.19.320
commit 66e7650dbbb8e236e781c670b167edc81e771450
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IANOZB
CVE: CVE-2024-44944

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=66e7650dbbb8e236e781c670b167edc81e771450



---------------------------

[ Upstream commit 782161895eb4ac45cf7cfa8db375bd4766cb8299 ]

Delete expectation path is missing a call to the nf_expect_get_id()
helper function to calculate the expectation ID, otherwise LSB of the
expectation object address is leaked to userspace.

Fixes: 3c791076 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
Reported-by:  <zdi-disclosures@trendmicro.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>

parent f40e2e86

net/netfilter/nf_conntrack_netlink.c

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -3142,7 +3142,8 @@ static int ctnetlink_del_expect(struct net net, struct sock ctnl,

	if (cda[CTA_EXPECT_ID]) {		if (cda[CTA_EXPECT_ID]) {
	__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);		__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
	if (ntohl(id) != (u32)(unsigned long)exp) {
			if (id != nf_expect_get_id(exp)) {
	nf_ct_expect_put(exp);		nf_ct_expect_put(exp);
	return -ENOENT;		return -ENOENT;
	}		}