Message ID | 20230914190628.2400598-1-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,Mantic] netfilter: nftables: exthdr: fix 4-byte stack OOB write | expand |
On 9/14/23 1:06 PM, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > If priv->len is a multiple of 4, then dst[len / 4] can write past > the destination array which leads to stack corruption. > > This construct is necessary to clean the remainder of the register > in case ->len is NOT a multiple of the register size, so make it > conditional just like nft_payload.c does. > > The bug was added in 4.1 cycle and then copied/inherited when > tcp/sctp and ip option support was added. > > Bug reported by Zero Day Initiative project (ZDI-CAN-21950, > ZDI-CAN-21951, ZDI-CAN-21961). > > Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") > Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching") > Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") > Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") > Signed-off-by: Florian Westphal <fw@strlen.de> > (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36) > CVE-2023-4881 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > > diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c > index 7f856ceb3a66..da8c14f71ddd 100644 > --- a/net/netfilter/nft_exthdr.c > +++ b/net/netfilter/nft_exthdr.c > @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) > return opt[offset + 1]; > } > > +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len) > +{ > + if (len % NFT_REG32_SIZE) > + dest[len / NFT_REG32_SIZE] = 0; > + > + return skb_copy_bits(skb, offset, dest, len); > +} > + > static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, > struct nft_regs *regs, > const struct nft_pktinfo *pkt) > @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, > } > offset += priv->offset; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) > goto err; > return; > err: > @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, > } > offset += priv->offset; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) > goto err; > return; > err: > @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, > if (priv->flags & NFT_EXTHDR_F_PRESENT) { > *dest = 1; > } else { > - dest[priv->len / NFT_REG32_SIZE] = 0; > + if (priv->len % NFT_REG32_SIZE) > + dest[priv->len / NFT_REG32_SIZE] = 0; > memcpy(dest, opt + offset, priv->len); > } > > @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, > offset + ntohs(sch->length) > pkt->skb->len) > break; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset + priv->offset, > - dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset, > + dest, priv->len) < 0) > break; > return; > } Acked-by: Tim Gardner <tim.gardner@canonical.com>
On 14/09/2023 21:06, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > If priv->len is a multiple of 4, then dst[len / 4] can write past > the destination array which leads to stack corruption. > > This construct is necessary to clean the remainder of the register > in case ->len is NOT a multiple of the register size, so make it > conditional just like nft_payload.c does. > > The bug was added in 4.1 cycle and then copied/inherited when > tcp/sctp and ip option support was added. > > Bug reported by Zero Day Initiative project (ZDI-CAN-21950, > ZDI-CAN-21951, ZDI-CAN-21961). > > Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") > Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching") > Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") > Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") > Signed-off-by: Florian Westphal <fw@strlen.de> > (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36) > CVE-2023-4881 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > > diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c > index 7f856ceb3a66..da8c14f71ddd 100644 > --- a/net/netfilter/nft_exthdr.c > +++ b/net/netfilter/nft_exthdr.c > @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) > return opt[offset + 1]; > } > > +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len) > +{ > + if (len % NFT_REG32_SIZE) > + dest[len / NFT_REG32_SIZE] = 0; > + > + return skb_copy_bits(skb, offset, dest, len); > +} > + > static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, > struct nft_regs *regs, > const struct nft_pktinfo *pkt) > @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, > } > offset += priv->offset; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) > goto err; > return; > err: > @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, > } > offset += priv->offset; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) > goto err; > return; > err: > @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, > if (priv->flags & NFT_EXTHDR_F_PRESENT) { > *dest = 1; > } else { > - dest[priv->len / NFT_REG32_SIZE] = 0; > + if (priv->len % NFT_REG32_SIZE) > + dest[priv->len / NFT_REG32_SIZE] = 0; > memcpy(dest, opt + offset, priv->len); > } > > @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, > offset + ntohs(sch->length) > pkt->skb->len) > break; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset + priv->offset, > - dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset, > + dest, priv->len) < 0) > break; > return; > } Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
On 14.09.23 21:06, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > If priv->len is a multiple of 4, then dst[len / 4] can write past > the destination array which leads to stack corruption. > > This construct is necessary to clean the remainder of the register > in case ->len is NOT a multiple of the register size, so make it > conditional just like nft_payload.c does. > > The bug was added in 4.1 cycle and then copied/inherited when > tcp/sctp and ip option support was added. > > Bug reported by Zero Day Initiative project (ZDI-CAN-21950, > ZDI-CAN-21951, ZDI-CAN-21961). > > Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") > Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching") > Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks") > Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options") > Signed-off-by: Florian Westphal <fw@strlen.de> > (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36) > CVE-2023-4881 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- Applied to mantic:linux/master-next. Thanks. -Stefan > net/netfilter/nft_exthdr.c | 22 ++++++++++++++-------- > 1 file changed, 14 insertions(+), 8 deletions(-) > > diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c > index 7f856ceb3a66..da8c14f71ddd 100644 > --- a/net/netfilter/nft_exthdr.c > +++ b/net/netfilter/nft_exthdr.c > @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) > return opt[offset + 1]; > } > > +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len) > +{ > + if (len % NFT_REG32_SIZE) > + dest[len / NFT_REG32_SIZE] = 0; > + > + return skb_copy_bits(skb, offset, dest, len); > +} > + > static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, > struct nft_regs *regs, > const struct nft_pktinfo *pkt) > @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, > } > offset += priv->offset; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) > goto err; > return; > err: > @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, > } > offset += priv->offset; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) > goto err; > return; > err: > @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, > if (priv->flags & NFT_EXTHDR_F_PRESENT) { > *dest = 1; > } else { > - dest[priv->len / NFT_REG32_SIZE] = 0; > + if (priv->len % NFT_REG32_SIZE) > + dest[priv->len / NFT_REG32_SIZE] = 0; > memcpy(dest, opt + offset, priv->len); > } > > @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, > offset + ntohs(sch->length) > pkt->skb->len) > break; > > - dest[priv->len / NFT_REG32_SIZE] = 0; > - if (skb_copy_bits(pkt->skb, offset + priv->offset, > - dest, priv->len) < 0) > + if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset, > + dest, priv->len) < 0) > break; > return; > }
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index 7f856ceb3a66..da8c14f71ddd 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset) return opt[offset + 1]; } +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len) +{ + if (len % NFT_REG32_SIZE) + dest[len / NFT_REG32_SIZE] = 0; + + return skb_copy_bits(skb, offset, dest, len); +} + static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, struct nft_regs *regs, const struct nft_pktinfo *pkt) @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, } offset += priv->offset; - dest[priv->len / NFT_REG32_SIZE] = 0; - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) goto err; return; err: @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr, } offset += priv->offset; - dest[priv->len / NFT_REG32_SIZE] = 0; - if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0) + if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0) goto err; return; err: @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr, if (priv->flags & NFT_EXTHDR_F_PRESENT) { *dest = 1; } else { - dest[priv->len / NFT_REG32_SIZE] = 0; + if (priv->len % NFT_REG32_SIZE) + dest[priv->len / NFT_REG32_SIZE] = 0; memcpy(dest, opt + offset, priv->len); } @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, offset + ntohs(sch->length) > pkt->skb->len) break; - dest[priv->len / NFT_REG32_SIZE] = 0; - if (skb_copy_bits(pkt->skb, offset + priv->offset, - dest, priv->len) < 0) + if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset, + dest, priv->len) < 0) break; return; }