diff mbox series

[SRU,Mantic] netfilter: nftables: exthdr: fix 4-byte stack OOB write

Message ID 20230914190628.2400598-1-cascardo@canonical.com
State New
Headers show
Series [SRU,Mantic] netfilter: nftables: exthdr: fix 4-byte stack OOB write | expand

Commit Message

Thadeu Lima de Souza Cascardo Sept. 14, 2023, 7:06 p.m. UTC 
From: Florian Westphal <fw@strlen.de>

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36)
CVE-2023-4881
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/netfilter/nft_exthdr.c | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

Comments

Tim Gardner Sept. 15, 2023, 12:34 p.m. UTC | #1 
On 9/14/23 1:06 PM, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> If priv->len is a multiple of 4, then dst[len / 4] can write past
> the destination array which leads to stack corruption.
> 
> This construct is necessary to clean the remainder of the register
> in case ->len is NOT a multiple of the register size, so make it
> conditional just like nft_payload.c does.
> 
> The bug was added in 4.1 cycle and then copied/inherited when
> tcp/sctp and ip option support was added.
> 
> Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
> ZDI-CAN-21951, ZDI-CAN-21961).
> 
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36)
> CVE-2023-4881
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>   net/netfilter/nft_exthdr.c | 22 ++++++++++++++--------
>   1 file changed, 14 insertions(+), 8 deletions(-)
> 
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 7f856ceb3a66..da8c14f71ddd 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset)
>   		return opt[offset + 1];
>   }
>   
> +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
> +{
> +	if (len % NFT_REG32_SIZE)
> +		dest[len / NFT_REG32_SIZE] = 0;
> +
> +	return skb_copy_bits(skb, offset, dest, len);
> +}
> +
>   static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>   				 struct nft_regs *regs,
>   				 const struct nft_pktinfo *pkt)
> @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>   	}
>   	offset += priv->offset;
>   
> -	dest[priv->len / NFT_REG32_SIZE] = 0;
> -	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> +	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
>   		goto err;
>   	return;
>   err:
> @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
>   	}
>   	offset += priv->offset;
>   
> -	dest[priv->len / NFT_REG32_SIZE] = 0;
> -	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> +	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
>   		goto err;
>   	return;
>   err:
> @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
>   		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
>   			*dest = 1;
>   		} else {
> -			dest[priv->len / NFT_REG32_SIZE] = 0;
> +			if (priv->len % NFT_REG32_SIZE)
> +				dest[priv->len / NFT_REG32_SIZE] = 0;
>   			memcpy(dest, opt + offset, priv->len);
>   		}
>   
> @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
>   			    offset + ntohs(sch->length) > pkt->skb->len)
>   				break;
>   
> -			dest[priv->len / NFT_REG32_SIZE] = 0;
> -			if (skb_copy_bits(pkt->skb, offset + priv->offset,
> -					  dest, priv->len) < 0)
> +			if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
> +						dest, priv->len) < 0)
>   				break;
>   			return;
>   		}
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Roxana Nicolescu Sept. 28, 2023, 7:52 a.m. UTC | #2 
On 14/09/2023 21:06, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw@strlen.de>
>
> If priv->len is a multiple of 4, then dst[len / 4] can write past
> the destination array which leads to stack corruption.
>
> This construct is necessary to clean the remainder of the register
> in case ->len is NOT a multiple of the register size, so make it
> conditional just like nft_payload.c does.
>
> The bug was added in 4.1 cycle and then copied/inherited when
> tcp/sctp and ip option support was added.
>
> Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
> ZDI-CAN-21951, ZDI-CAN-21961).
>
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36)
> CVE-2023-4881
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>   net/netfilter/nft_exthdr.c | 22 ++++++++++++++--------
>   1 file changed, 14 insertions(+), 8 deletions(-)
>
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 7f856ceb3a66..da8c14f71ddd 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset)
>   		return opt[offset + 1];
>   }
>   
> +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
> +{
> +	if (len % NFT_REG32_SIZE)
> +		dest[len / NFT_REG32_SIZE] = 0;
> +
> +	return skb_copy_bits(skb, offset, dest, len);
> +}
> +
>   static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>   				 struct nft_regs *regs,
>   				 const struct nft_pktinfo *pkt)
> @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>   	}
>   	offset += priv->offset;
>   
> -	dest[priv->len / NFT_REG32_SIZE] = 0;
> -	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> +	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
>   		goto err;
>   	return;
>   err:
> @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
>   	}
>   	offset += priv->offset;
>   
> -	dest[priv->len / NFT_REG32_SIZE] = 0;
> -	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> +	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
>   		goto err;
>   	return;
>   err:
> @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
>   		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
>   			*dest = 1;
>   		} else {
> -			dest[priv->len / NFT_REG32_SIZE] = 0;
> +			if (priv->len % NFT_REG32_SIZE)
> +				dest[priv->len / NFT_REG32_SIZE] = 0;
>   			memcpy(dest, opt + offset, priv->len);
>   		}
>   
> @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
>   			    offset + ntohs(sch->length) > pkt->skb->len)
>   				break;
>   
> -			dest[priv->len / NFT_REG32_SIZE] = 0;
> -			if (skb_copy_bits(pkt->skb, offset + priv->offset,
> -					  dest, priv->len) < 0)
> +			if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
> +						dest, priv->len) < 0)
>   				break;
>   			return;
>   		}
Acked-by: Roxana Nicolescu <roxana.nicolescu@canonical.com>
Stefan Bader Sept. 29, 2023, 11:01 a.m. UTC | #3 
On 14.09.23 21:06, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> If priv->len is a multiple of 4, then dst[len / 4] can write past
> the destination array which leads to stack corruption.
> 
> This construct is necessary to clean the remainder of the register
> in case ->len is NOT a multiple of the register size, so make it
> conditional just like nft_payload.c does.
> 
> The bug was added in 4.1 cycle and then copied/inherited when
> tcp/sctp and ip option support was added.
> 
> Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
> ZDI-CAN-21951, ZDI-CAN-21961).
> 
> Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
> Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
> Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
> Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> (cherry picked from commit fd94d9dadee58e09b49075240fe83423eb1dcd36)
> CVE-2023-4881
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---

Applied to mantic:linux/master-next. Thanks.

-Stefan

>   net/netfilter/nft_exthdr.c | 22 ++++++++++++++--------
>   1 file changed, 14 insertions(+), 8 deletions(-)
> 
> diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
> index 7f856ceb3a66..da8c14f71ddd 100644
> --- a/net/netfilter/nft_exthdr.c
> +++ b/net/netfilter/nft_exthdr.c
> @@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt, unsigned int offset)
>   		return opt[offset + 1];
>   }
>   
> +static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
> +{
> +	if (len % NFT_REG32_SIZE)
> +		dest[len / NFT_REG32_SIZE] = 0;
> +
> +	return skb_copy_bits(skb, offset, dest, len);
> +}
> +
>   static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>   				 struct nft_regs *regs,
>   				 const struct nft_pktinfo *pkt)
> @@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
>   	}
>   	offset += priv->offset;
>   
> -	dest[priv->len / NFT_REG32_SIZE] = 0;
> -	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> +	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
>   		goto err;
>   	return;
>   err:
> @@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
>   	}
>   	offset += priv->offset;
>   
> -	dest[priv->len / NFT_REG32_SIZE] = 0;
> -	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
> +	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
>   		goto err;
>   	return;
>   err:
> @@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
>   		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
>   			*dest = 1;
>   		} else {
> -			dest[priv->len / NFT_REG32_SIZE] = 0;
> +			if (priv->len % NFT_REG32_SIZE)
> +				dest[priv->len / NFT_REG32_SIZE] = 0;
>   			memcpy(dest, opt + offset, priv->len);
>   		}
>   
> @@ -392,9 +399,8 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
>   			    offset + ntohs(sch->length) > pkt->skb->len)
>   				break;
>   
> -			dest[priv->len / NFT_REG32_SIZE] = 0;
> -			if (skb_copy_bits(pkt->skb, offset + priv->offset,
> -					  dest, priv->len) < 0)
> +			if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
> +						dest, priv->len) < 0)
>   				break;
>   			return;
>   		}
diff mbox series

Patch

diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 7f856ceb3a66..da8c14f71ddd 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -35,6 +35,14 @@  static unsigned int optlen(const u8 *opt, unsigned int offset)
 		return opt[offset + 1];
 }
 
+static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
+{
+	if (len % NFT_REG32_SIZE)
+		dest[len / NFT_REG32_SIZE] = 0;
+
+	return skb_copy_bits(skb, offset, dest, len);
+}
+
 static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
 				 struct nft_regs *regs,
 				 const struct nft_pktinfo *pkt)
@@ -56,8 +64,7 @@  static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
 	}
 	offset += priv->offset;
 
-	dest[priv->len / NFT_REG32_SIZE] = 0;
-	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
+	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
 		goto err;
 	return;
 err:
@@ -153,8 +160,7 @@  static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
 	}
 	offset += priv->offset;
 
-	dest[priv->len / NFT_REG32_SIZE] = 0;
-	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
+	if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
 		goto err;
 	return;
 err:
@@ -210,7 +216,8 @@  static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
 		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
 			*dest = 1;
 		} else {
-			dest[priv->len / NFT_REG32_SIZE] = 0;
+			if (priv->len % NFT_REG32_SIZE)
+				dest[priv->len / NFT_REG32_SIZE] = 0;
 			memcpy(dest, opt + offset, priv->len);
 		}
 
@@ -392,9 +399,8 @@  static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
 			    offset + ntohs(sch->length) > pkt->skb->len)
 				break;
 
-			dest[priv->len / NFT_REG32_SIZE] = 0;
-			if (skb_copy_bits(pkt->skb, offset + priv->offset,
-					  dest, priv->len) < 0)
+			if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
+						dest, priv->len) < 0)
 				break;
 			return;
 		}