From patchwork Tue Oct 18 19:41:47 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: John Cabaj X-Patchwork-Id: 1691679 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=TRpN+NCu; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MsPQ63h0yz23jp for ; Wed, 19 Oct 2022 06:42:05 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oksTJ-0000sM-Bb; Tue, 18 Oct 2022 19:41:53 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oksTI-0000ry-0V for kernel-team@lists.ubuntu.com; Tue, 18 Oct 2022 19:41:52 +0000 Received: from mail-il1-f200.google.com (mail-il1-f200.google.com [209.85.166.200]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id BC65B3F11D for ; Tue, 18 Oct 2022 19:41:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1666122111; bh=U0falXBDYCSICqzufuc8gV74mIdWVe5lcke5Tap1AP0=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=TRpN+NCuHg2De3pyAQULgQ4kRe4Wo+7aLDiEU72E5++Y51zE6gff4oAB10cZl+id/ KLK6PGa/jDBITG3UvyyyIhRIwv6nxmFmNxzG54O9+OGJ5kRHbutV7uIx0lSVPpUQ4g olLY2l/gFG+HwDCtZFxu4UdNI7SPfRsywIfRrW6OmvlvkBEw8Z+gchf90+Ohs7gkvN mNOjPmgMDb5hvuUnfOeiENCFoXpqFx0WzrA4x06+f+zb0+xO5nU5+pzH8BwAUSz06j dW5O+y1oGHT55RkQWyoswSRq5BTTReoQUN44F0eUOy7hla7gMj66FV0GT+1Y/+DUCV AMn435NG9mS0A== Received: by mail-il1-f200.google.com with SMTP id m9-20020a056e021c2900b002fadb905ddcso13207320ilh.18 for ; Tue, 18 Oct 2022 12:41:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=U0falXBDYCSICqzufuc8gV74mIdWVe5lcke5Tap1AP0=; b=BEicJrykgncd26Sgs1H8LfVJpbRon79ae469qlZe5FzbKRXTbvn/5VBGqPubCVWsq3 YgO/NkYCkK+D50MO9gILHTgjwJFcAqUGEga0T735KVrj5bXMgeENYD/ww3TX1Yl2LrSo Kamf2Xl2zobb7mjdhL1rqnbEpdqwtnEu1EJFieU+qE7Cr1ieQE0r/wAyc1TOHKej3TMk f9XPWJe4s4qD53ys82XyiaD04fT0+WZVo3WW/BVLwi90qAXzlt2y11ryeXq5d+cd9SRQ A0Qye42z56KFQk1wnUhsMrc+mGFfLg/iOuR+JjEIL6tAT/OtBo5D5R+MfNtFBduz8a2/ +tTQ== X-Gm-Message-State: ACrzQf3X8RMZme4DgZoQNws9LAtcDAhfna3Y+x5GhWqtxAk1z4dX12cO 0p0I0k1ea+vvVljm215fZ3hZCo3tLY+b+9tSY8biMlePDps7agoqoFECiSWJxWGBD7ysICYH9Qc Ff74xY7gPhkWnaR6maQepprIOwpoUgjwtLuBlTCz6Cw== X-Received: by 2002:a05:6e02:154f:b0:2f9:f2ed:b661 with SMTP id j15-20020a056e02154f00b002f9f2edb661mr2692526ilu.134.1666122110474; Tue, 18 Oct 2022 12:41:50 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6NHBAGNNkE5Ad4msVSTnBFtO/FtLWOpaL0ureTP6k/MLLEgA8F6SqBRr06xpRo9cXZrm3qng== X-Received: by 2002:a05:6e02:154f:b0:2f9:f2ed:b661 with SMTP id j15-20020a056e02154f00b002f9f2edb661mr2692511ilu.134.1666122110192; Tue, 18 Oct 2022 12:41:50 -0700 (PDT) Received: from smtp.gmail.com (h69-130-246-116.mdtnwi.broadband.dynamic.tds.net. [69.130.246.116]) by smtp.gmail.com with ESMTPSA id e25-20020a026d59000000b00349c45fd3a8sm1361945jaf.29.2022.10.18.12.41.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 18 Oct 2022 12:41:49 -0700 (PDT) From: John Cabaj To: kernel-team@lists.ubuntu.com Subject: [SRU][J/F/B][PATCH] Fix CVE-2022-2663 (netfilter: nf_conntrack_irc: Fix forged IP logic) Date: Tue, 18 Oct 2022 14:41:47 -0500 Message-Id: <20221018194147.56776-2-john.cabaj@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20221018194147.56776-1-john.cabaj@canonical.com> References: <20221018194147.56776-1-john.cabaj@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: David Leadbeater CVE-2022-2663 Ensure the match happens in the right direction, previously the destination used was the server, not the NAT host, as the comment shows the code intended. Additionally nf_nat_irc uses port 0 as a signal and there's no valid way it can appear in a DCC message, so consider port 0 also forged. Fixes: 869f37d8e48f ("[NETFILTER]: nf_conntrack/nf_nat: add IRC helper port") Signed-off-by: David Leadbeater Signed-off-by: Pablo Neira Ayuso (cherry picked from commit 0efe125cfb99e6773a7434f3463f7c2fa28f3a43) Signed-off-by: John Cabaj Acked-by: Thadeu Lima de Souza Cascardo --- net/netfilter/nf_conntrack_irc.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 08ee4e760a3d..18b90e334b5b 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -188,8 +188,9 @@ static int help(struct sk_buff *skb, unsigned int protoff, /* dcc_ip can be the internal OR external (NAT'ed) IP */ tuple = &ct->tuplehash[dir].tuple; - if (tuple->src.u3.ip != dcc_ip && - tuple->dst.u3.ip != dcc_ip) { + if ((tuple->src.u3.ip != dcc_ip && + ct->tuplehash[!dir].tuple.dst.u3.ip != dcc_ip) || + dcc_port == 0) { net_warn_ratelimited("Forged DCC command from %pI4: %pI4:%u\n", &tuple->src.u3.ip, &dcc_ip, dcc_port);