From patchwork Fri Oct 27 12:01:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Magali Lemes <magali.lemes@canonical.com>
X-Patchwork-Id: 1856176
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4SH1WF4Rk7z23jc
	for <incoming@patchwork.ozlabs.org>; Fri, 27 Oct 2023 23:02:33 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1qwLXh-0005hy-Ho; Fri, 27 Oct 2023 12:02:22 +0000
Received: from smtp-relay-internal-0.internal ([10.131.114.225]
 helo=smtp-relay-internal-0.canonical.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <magali.lemes@canonical.com>)
 id 1qwLWq-00056s-Qt
 for kernel-team@lists.ubuntu.com; Fri, 27 Oct 2023 12:01:32 +0000
Received: from mail-pg1-f199.google.com (mail-pg1-f199.google.com
 [209.85.215.199])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
 (No client certificate requested)
 by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id A01C03FADC
 for <kernel-team@lists.ubuntu.com>; Fri, 27 Oct 2023 12:01:28 +0000 (UTC)
Received: by mail-pg1-f199.google.com with SMTP id
 41be03b00d2f7-5b8ec55eb42so1803067a12.0
 for <kernel-team@lists.ubuntu.com>; Fri, 27 Oct 2023 05:01:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1698408087; x=1699012887;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=zDFvs8SM/sjo5qDBtqpXxwZjWQOjsAhcQpCAK+ggaUs=;
 b=jqiNkmeWOujOeswQqtQH2m1wa9xZn2zUCkiERaFjrvj3E7YFScezO0IcHZuOIZuRS6
 OYpYSsxZhllqw46TQHk7ZmV9jF41X70O2UtNcvTjDIvJZuxHtX1DN4lypc978AiAK8XG
 rEVHSKhJhTFOvKqQzWtrHQrN9Wk6pe8oHfn14ndKcWQHd/Fi7e3gTwbeHhLUVMAgYF/m
 h3rpnXnEeT5DLNxxkkwlHE4yPCrnOIYe1RLJwI5KfXrrgoy7kbC/uybFSQMRriXpkmCp
 ppU0k3DCM0ggswIHOajdGCODfYbC07WoZNAbmYrTNw7hY1nhMQA/7ehRz618w9FrxVeC
 xCwQ==
X-Gm-Message-State: AOJu0Yz0s/0C6sFluhpuL3s5lQibke4wbhwCH1GxPDVJiLgXvNnz58F/
 d1zQqclmlxQ8EBjuNk4YJw6vtKK3qreud2oYgiOrnN+J0SiMhZwj1ooZe7PE3Z4VmUF98KqQtlB
 G53bsssZKCUnWnGEn4bDEgSZL/2SPHAN2+5ruSJDptxIHQ7dzNw==
X-Received: by 2002:a17:903:4305:b0:1cc:19e8:da36 with SMTP id
 jz5-20020a170903430500b001cc19e8da36mr2171634plb.47.1698408086803;
 Fri, 27 Oct 2023 05:01:26 -0700 (PDT)
X-Google-Smtp-Source: 
 AGHT+IEKUFpk9TzEExlvKqM3Lg8dSUGikf/DsBhZ3T9YB4mDymzDfvSspOOiCLzu+mpW8CAXkvVNDg==
X-Received: by 2002:a17:903:4305:b0:1cc:19e8:da36 with SMTP id
 jz5-20020a170903430500b001cc19e8da36mr2171615plb.47.1698408086440;
 Fri, 27 Oct 2023 05:01:26 -0700 (PDT)
Received: from magali.. ([2804:7f0:b440:4f55:d772:1c31:ff1c:56c8])
 by smtp.gmail.com with ESMTPSA id
 jj12-20020a170903048c00b001b89891bfc4sm1391261plb.199.2023.10.27.05.01.25
 for <kernel-team@lists.ubuntu.com>
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Fri, 27 Oct 2023 05:01:25 -0700 (PDT)
From: Magali Lemes <magali.lemes@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU][F/J/L/M][PATCH 1/1] netfilter: nfnetlink_osf: avoid OOB read
Date: Fri, 27 Oct 2023 09:01:20 -0300
Message-Id: <20231027120120.379923-2-magali.lemes@canonical.com>
X-Mailer: git-send-email 2.34.1
In-Reply-To: <20231027120120.379923-1-magali.lemes@canonical.com>
References: <20231027120120.379923-1-magali.lemes@canonical.com>
MIME-Version: 1.0
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Wander Lairson Costa <wander@redhat.com>

The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.

BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
Read of size 2 at addr ffff88804bc64272 by task poc/6431

CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
Call Trace:
 nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
 nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
 nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
 expr_call_ops_eval net/netfilter/nf_tables_core.c:214
 nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
 nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
 [..]

Also add validation to genre, subtype and version fields.

Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Lucas Leong <wmliang@infosec.exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
(cherry picked from commit f4f8a7803119005e87b716874bec07c751efafec)
CVE-2023-39189
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 net/netfilter/nfnetlink_osf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 9dbaa5ce24e5..573a372e760f 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -316,6 +316,14 @@ static int nfnl_osf_add_callback(struct net *net, struct sock *ctnl,
 
 	f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
 
+	if (f->opt_num > ARRAY_SIZE(f->opt))
+		return -EINVAL;
+
+	if (!memchr(f->genre, 0, MAXGENRELEN) ||
+	    !memchr(f->subtype, 0, MAXGENRELEN) ||
+	    !memchr(f->version, 0, MAXGENRELEN))
+		return -EINVAL;
+
 	kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
 	if (!kf)
 		return -ENOMEM;