Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please ingest this backport of CVE-2023-52628 fix #2

Closed
wants to merge 1 commit into from

Commits on May 21, 2024

  1. netfilter: nftables: exthdr: fix 4-byte stack OOB write

    commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.
    
    If priv->len is a multiple of 4, then dst[len / 4] can write past
    the destination array which leads to stack corruption.
    
    This construct is necessary to clean the remainder of the register
    in case ->len is NOT a multiple of the register size, so make it
    conditional just like nft_payload.c does.
    
    The bug was added in 4.1 cycle and then copied/inherited when
    tcp/sctp and ip option support was added.
    
    Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
    ZDI-CAN-21951, ZDI-CAN-21961).
    
    Fixes: 49499c3 ("netfilter: nf_tables: switch registers to 32 bit addressing")
    Fixes: 935b7f6 ("netfilter: nft_exthdr: add TCP option matching")
    Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
    Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
    Signed-off-by: Florian Westphal <fw@strlen.de>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Signed-off-by: SeongJae Park <sjpark@amazon.com>
    Florian Westphal authored and sj-aws committed May 21, 2024
    Configuration menu
    Copy the full SHA
    806fac5 View commit details
    Browse the repository at this point in the history