You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
commit fd94d9d upstream.
If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.
This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.
The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.
Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).
Fixes: 49499c3 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f6 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc20 ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Signed-off-by: SeongJae Park <[email protected]>
(cherry picked from commit 806fac5f5939d55f4538ea59508a62385a1ba0ca)
[Vegard: note that nft_exthdr_ipv4_eval() was introduced in commit
dbb5281 ("netfilter: nf_tables: add support for
matching IPv4 options"; v5.3) and nft_exthdr_sctp_eval() was introduced
in commit 133dc20 ("netfilter:
nft_exthdr: Support SCTP chunks"; v5.14); neither patch is present in
4.14, which is why these changes have been dropped compared to the
mainline patch. Also, this fixes CVE-2023-52628.]
Signed-off-by: Vegard Nossum <[email protected]>
0 commit comments