git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 5 Sep 2023 21:13:56 +0000 (23:13 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 19 Sep 2023 10:28:03 +0000 (12:28 +0200)
commit	d9ebfc0f21377690837ebbd119e679243e0099cc
tree	c0a4d230b6ce8e93266a565ced1dcb1444204a9f	tree \| snapshot
parent	6cf0d1d5a50b635a59f252f168e7aa50c1ffe636	commit \| diff

netfilter: nftables: exthdr: fix 4-byte stack OOB write

[ Upstream commit fd94d9dadee58e09b49075240fe83423eb1dcd36 ]

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>