Message ID | 20220816085305.173727-1-cascardo@canonical.com |
---|---|
State | New |
Headers | show |
Series | [SRU,B/F/J/OEM-5.14/HWE-5.17] netfilter: nf_queue: do not allow packet truncation below transport header offset | expand |
On 8/16/22 02:53, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > Domingo Dirutigliano and Nicola Guerrera report kernel panic when > sending nf_queue verdict with 1-byte nfta_payload attribute. > > The IP/IPv6 stack pulls the IP(v6) header from the packet after the > input hook. > > If user truncates the packet below the header size, this skb_pull() will > result in a malformed skb (skb->len < 0). > > Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") > Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me> > Signed-off-by: Florian Westphal <fw@strlen.de> > Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164) > CVE-2022-36946 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/netfilter/nfnetlink_queue.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index 28efb8393591..9a82f3fc50da 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) > } > > static int > -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) > +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) > { > struct sk_buff *nskb; > > if (diff < 0) { > + unsigned int min_len = skb_transport_offset(e->skb); > + > + if (data_len < min_len) > + return -EINVAL; > + > if (pskb_trim(e->skb, data_len)) > return -ENOMEM; > } else if (diff > 0) { Acked-by: Tim Gardner <tim.gardner@canonical.com>
Thadeu Lima de Souza Cascardo kirjoitti 16.8.2022 klo 11.53: > From: Florian Westphal <fw@strlen.de> > > Domingo Dirutigliano and Nicola Guerrera report kernel panic when > sending nf_queue verdict with 1-byte nfta_payload attribute. > > The IP/IPv6 stack pulls the IP(v6) header from the packet after the > input hook. > > If user truncates the packet below the header size, this skb_pull() will > result in a malformed skb (skb->len < 0). > > Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") > Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me> > Signed-off-by: Florian Westphal <fw@strlen.de> > Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164) > CVE-2022-36946 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- > net/netfilter/nfnetlink_queue.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index 28efb8393591..9a82f3fc50da 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) > } > > static int > -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) > +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) > { > struct sk_buff *nskb; > > if (diff < 0) { > + unsigned int min_len = skb_transport_offset(e->skb); > + > + if (data_len < min_len) > + return -EINVAL; > + > if (pskb_trim(e->skb, data_len)) > return -ENOMEM; > } else if (diff > 0) { applied to oem-5.14, thanks
On 16.08.22 10:53, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > Domingo Dirutigliano and Nicola Guerrera report kernel panic when > sending nf_queue verdict with 1-byte nfta_payload attribute. > > The IP/IPv6 stack pulls the IP(v6) header from the packet after the > input hook. > > If user truncates the packet below the header size, this skb_pull() will > result in a malformed skb (skb->len < 0). > > Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") > Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me> > Signed-off-by: Florian Westphal <fw@strlen.de> > Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164) > CVE-2022-36946 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Stefan Bader <stefan.bader@canonical.com> > --- > net/netfilter/nfnetlink_queue.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index 28efb8393591..9a82f3fc50da 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) > } > > static int > -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) > +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) > { > struct sk_buff *nskb; > > if (diff < 0) { > + unsigned int min_len = skb_transport_offset(e->skb); > + > + if (data_len < min_len) > + return -EINVAL; > + > if (pskb_trim(e->skb, data_len)) > return -ENOMEM; > } else if (diff > 0) {
On 16.08.22 10:53, Thadeu Lima de Souza Cascardo wrote: > From: Florian Westphal <fw@strlen.de> > > Domingo Dirutigliano and Nicola Guerrera report kernel panic when > sending nf_queue verdict with 1-byte nfta_payload attribute. > > The IP/IPv6 stack pulls the IP(v6) header from the packet after the > input hook. > > If user truncates the packet below the header size, this skb_pull() will > result in a malformed skb (skb->len < 0). > > Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") > Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me> > Signed-off-by: Florian Westphal <fw@strlen.de> > Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> > (cherry picked from commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164) > CVE-2022-36946 > Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> > --- Applied to jammy,focal,bionic:linux/master-next and jammy:linux-hwe-5.17/hwe-5.17-next. Thanks. -Stefan > net/netfilter/nfnetlink_queue.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index 28efb8393591..9a82f3fc50da 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) > } > > static int > -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) > +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) > { > struct sk_buff *nskb; > > if (diff < 0) { > + unsigned int min_len = skb_transport_offset(e->skb); > + > + if (data_len < min_len) > + return -EINVAL; > + > if (pskb_trim(e->skb, data_len)) > return -ENOMEM; > } else if (diff > 0) {
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 28efb8393591..9a82f3fc50da 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -844,11 +844,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) } static int -nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) +nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) { struct sk_buff *nskb; if (diff < 0) { + unsigned int min_len = skb_transport_offset(e->skb); + + if (data_len < min_len) + return -EINVAL; + if (pskb_trim(e->skb, data_len)) return -ENOMEM; } else if (diff > 0) {