diff mbox series

[SRU,B/F/J/OEM-5.14/HWE-5.17] netfilter: nf_queue: do not allow packet truncation below transport header offset

Message ID 20220816085305.173727-1-cascardo@canonical.com
State New
Headers show
Series [SRU,B/F/J/OEM-5.14/HWE-5.17] netfilter: nf_queue: do not allow packet truncation below transport header offset | expand

Commit Message

Thadeu Lima de Souza Cascardo Aug. 16, 2022, 8:53 a.m. UTC 
From: Florian Westphal <fw@strlen.de>

Domingo Dirutigliano and Nicola Guerrera report kernel panic when
sending nf_queue verdict with 1-byte nfta_payload attribute.

The IP/IPv6 stack pulls the IP(v6) header from the packet after the
input hook.

If user truncates the packet below the header size, this skb_pull() will
result in a malformed skb (skb->len < 0).

Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164)
CVE-2022-36946
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
---
 net/netfilter/nfnetlink_queue.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

Comments

Tim Gardner Aug. 16, 2022, 12:40 p.m. UTC | #1 
On 8/16/22 02:53, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> Domingo Dirutigliano and Nicola Guerrera report kernel panic when
> sending nf_queue verdict with 1-byte nfta_payload attribute.
> 
> The IP/IPv6 stack pulls the IP(v6) header from the packet after the
> input hook.
> 
> If user truncates the packet below the header size, this skb_pull() will
> result in a malformed skb (skb->len < 0).
> 
> Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
> Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164)
> CVE-2022-36946
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>   net/netfilter/nfnetlink_queue.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 28efb8393591..9a82f3fc50da 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
>   }
>   
>   static int
> -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
> +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
>   {
>   	struct sk_buff *nskb;
>   
>   	if (diff < 0) {
> +		unsigned int min_len = skb_transport_offset(e->skb);
> +
> +		if (data_len < min_len)
> +			return -EINVAL;
> +
>   		if (pskb_trim(e->skb, data_len))
>   			return -ENOMEM;
>   	} else if (diff > 0) {
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Timo Aaltonen Aug. 18, 2022, 1:09 p.m. UTC | #2 
Thadeu Lima de Souza Cascardo kirjoitti 16.8.2022 klo 11.53:
> From: Florian Westphal <fw@strlen.de>
> 
> Domingo Dirutigliano and Nicola Guerrera report kernel panic when
> sending nf_queue verdict with 1-byte nfta_payload attribute.
> 
> The IP/IPv6 stack pulls the IP(v6) header from the packet after the
> input hook.
> 
> If user truncates the packet below the header size, this skb_pull() will
> result in a malformed skb (skb->len < 0).
> 
> Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
> Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164)
> CVE-2022-36946
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---
>   net/netfilter/nfnetlink_queue.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 28efb8393591..9a82f3fc50da 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
>   }
>   
>   static int
> -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
> +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
>   {
>   	struct sk_buff *nskb;
>   
>   	if (diff < 0) {
> +		unsigned int min_len = skb_transport_offset(e->skb);
> +
> +		if (data_len < min_len)
> +			return -EINVAL;
> +
>   		if (pskb_trim(e->skb, data_len))
>   			return -ENOMEM;
>   	} else if (diff > 0) {

applied to oem-5.14, thanks
Stefan Bader Aug. 22, 2022, 8:59 a.m. UTC | #3 
On 16.08.22 10:53, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> Domingo Dirutigliano and Nicola Guerrera report kernel panic when
> sending nf_queue verdict with 1-byte nfta_payload attribute.
> 
> The IP/IPv6 stack pulls the IP(v6) header from the packet after the
> input hook.
> 
> If user truncates the packet below the header size, this skb_pull() will
> result in a malformed skb (skb->len < 0).
> 
> Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
> Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164)
> CVE-2022-36946
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>   net/netfilter/nfnetlink_queue.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 28efb8393591..9a82f3fc50da 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
>   }
>   
>   static int
> -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
> +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
>   {
>   	struct sk_buff *nskb;
>   
>   	if (diff < 0) {
> +		unsigned int min_len = skb_transport_offset(e->skb);
> +
> +		if (data_len < min_len)
> +			return -EINVAL;
> +
>   		if (pskb_trim(e->skb, data_len))
>   			return -ENOMEM;
>   	} else if (diff > 0) {
Stefan Bader Aug. 22, 2022, 3:29 p.m. UTC | #4 
On 16.08.22 10:53, Thadeu Lima de Souza Cascardo wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> Domingo Dirutigliano and Nicola Guerrera report kernel panic when
> sending nf_queue verdict with 1-byte nfta_payload attribute.
> 
> The IP/IPv6 stack pulls the IP(v6) header from the packet after the
> input hook.
> 
> If user truncates the packet below the header size, this skb_pull() will
> result in a malformed skb (skb->len < 0).
> 
> Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
> Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164)
> CVE-2022-36946
> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
> ---

Applied to jammy,focal,bionic:linux/master-next and 
jammy:linux-hwe-5.17/hwe-5.17-next. Thanks.

-Stefan

>   net/netfilter/nfnetlink_queue.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 28efb8393591..9a82f3fc50da 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
>   }
>   
>   static int
> -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
> +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
>   {
>   	struct sk_buff *nskb;
>   
>   	if (diff < 0) {
> +		unsigned int min_len = skb_transport_offset(e->skb);
> +
> +		if (data_len < min_len)
> +			return -EINVAL;
> +
>   		if (pskb_trim(e->skb, data_len))
>   			return -ENOMEM;
>   	} else if (diff > 0) {
diff mbox series

Patch

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 28efb8393591..9a82f3fc50da 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -844,11 +844,16 @@  nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
 }
 
 static int
-nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
+nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
 {
 	struct sk_buff *nskb;
 
 	if (diff < 0) {
+		unsigned int min_len = skb_transport_offset(e->skb);
+
+		if (data_len < min_len)
+			return -EINVAL;
+
 		if (pskb_trim(e->skb, data_len))
 			return -ENOMEM;
 	} else if (diff > 0) {