netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
mainline inclusion from mainline-v6.7-rc2 commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I8WQRG CVE: CVE-2024-0607 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 --------------------------- The problem is in nft_byteorder_eval() where we are iterating through a loop and writing to dst[0], dst[1], dst[2] and so on... On each iteration we are writing 8 bytes. But dst[] is an array of u32 so each element only has space for 4 bytes. That means that every iteration overwrites part of the previous element. I spotted this bug while reviewing commit caf3ef74 ("netfilter: nf_tables: prevent OOB access in nft_byteorder_eval") which is a related issue. I think that the reason we have not detected this bug in testing is that most of time we only write one element. Fixes: ce1e7989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") Signed-off-by:Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by:
Loading
Please sign in to comment