UbiquitousOS
/
anolis-cloud-kernel
mirror of https://gitee.com/anolis/cloud-kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
anolis-cloud-kernel/net
History
Florian Westphal 5579010831 netfilter: nftables: exthdr: fix 4-byte stack OOB write 
ANBZ: #9412

commit fd94d9dade upstream.

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f6430 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d7 ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[Fixes conflicts]
Fixes: CVE-2023-52628
Signed-off-by: Xiao Long <xiaolong@openanolis.org>
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
Reviewed-by: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
Link: https://gitee.com/anolis/cloud-kernel/pulls/3416
 		2024-06-27 10:49:18 +00:00
..
6lowpan
9p iov_iter: Separate type from direction and use accessor functions 2020-01-17 16:08:03 +08:00
802
8021q vlan: disable SIOCSHWTSTAMP in container 2019-05-16 19:41:30 +02:00
appletalk appletalk: Set error code if register_snap_client failed 2019-12-13 08:52:59 +01:00
atm net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-10-05 13:09:32 +02:00
batman-adv batman-adv: Avoid free/alloc race when handling OGM buffer 2019-11-06 13:06:22 +01:00
bluetooth Bluetooth: rfcomm: Fix null-ptr-deref in rfcomm_check_security 2024-03-11 12:31:16 +00:00
bpf bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN 2024-01-29 02:03:52 +00:00
bpfilter net: bpfilter: disallow to remove bpfilter module while being used 2023-12-08 11:45:57 +08:00
bridge net: bridge: deny dev_set_mac_address() when unregistering 2019-12-21 10:57:10 +01:00
caif caif: fix memory leak in cfctrl_linkup_request() 2023-02-25 11:55:25 -05:00
can can: bcm: delay release of struct bcm_op after synchronize_rcu() 2021-11-12 17:43:28 +08:00
ceph iov_iter: Separate type from direction and use accessor functions 2020-01-17 16:08:03 +08:00
core anolis: Revert "bpf: add bpf helper bpf_skb_ecn_set_ce" 2024-06-03 02:21:14 +00:00
dcb
dccp dccp: don't duplicate ccid when cloning dccp sock 2021-10-29 10:12:40 +08:00
decnet decnet: fix DN_IFREQ_SIZE 2019-12-05 09:21:07 +01:00
dns_resolver
dsa net: dsa: fix switch tree list 2019-11-10 11:27:53 +01:00
ethernet net: pass net_device argument to the eth_get_headlen 2024-01-04 04:36:06 +00:00
hookers anolis: arm64: hookers: flush proper tlb range 2021-11-22 20:26:12 +08:00
hsr net/hsr: fix possible crash in add_timer() 2019-03-19 13:12:38 +01:00
ieee802154 ieee802154: enforce CAP_NET_RAW for raw sockets 2019-10-05 13:09:32 +02:00
ife
ipv4 tcp: add skb-less helpers to retrieve SYN cookie 2024-01-29 17:38:59 +08:00
ipv6 tcp: add skb-less helpers to retrieve SYN cookie 2024-01-29 17:38:59 +08:00
iucv Revert "net: simplify sock_poll_wait" 2018-11-04 14:50:51 +01:00
kcm kcm: disable preemption in kcm_parse_func_strparser() 2024-02-02 09:44:49 +00:00
key af_key: Do not call xfrm_probe_algs in parallel 2022-12-05 03:11:38 +00:00
l2tp l2tp: Serialize access to sk_user_data with sk_callback_lock 2023-03-29 09:13:50 +00:00
l3mdev
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:15:13 +02:00
llc llc: avoid blocking in llc_sap_close() 2019-11-20 18:46:35 +01:00
mac80211 mac80211: extend protection against mixed key and fragment cache attacks 2021-10-28 19:22:02 +08:00
mac802154
mpls net: mpls: fix stale pointer if allocation fails during device rename 2023-03-29 06:46:56 +00:00
ncsi
netfilter netfilter: nftables: exthdr: fix 4-byte stack OOB write 2024-06-27 10:49:18 +00:00
netlabel netlabel: cope with NULL catmap 2020-06-09 11:37:14 +08:00
netlink genetlink: Fix a memory leak on error path 2019-04-03 06:26:15 +02:00
netrom netrom: hold sock when setting skb->destructor 2019-07-28 08:29:27 +02:00
nfc nfc: fix refcount leak in llcp_sock_connect() 2023-03-29 07:02:27 +00:00
nsh
openvswitch net: openvswitch: fix flow memory leak in ovs_flow_cmd_new 2024-01-29 03:24:20 +00:00
packet af_packet: set defaule value for tmo 2024-05-06 07:57:11 +00:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 09:21:30 +01:00
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2022-03-25 07:56:49 +00:00
rds rds: rds_rm_zerocopy_callback() use list_first_entry() 2023-06-20 12:40:04 +00:00
rfkill
rose net: rose: fix UAF bugs caused by timer handler 2022-07-13 07:46:20 +00:00
rxrpc rxrpc: Fix trace-after-put looking at the put peer record 2019-11-06 13:06:24 +01:00
sched net: sched: sch_qfq: Fix UAF in qfq_dequeue() 2023-10-24 11:30:19 +00:00
sctp sctp: fail if no bound addresses can be used for a given scope 2023-03-29 06:46:31 +00:00
smc iov_iter: Separate type from direction and use accessor functions 2020-01-17 16:08:03 +08:00
strparser bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding 2023-08-14 11:05:52 +00:00
sunrpc xprtrdma: fix incorrect header size calculations 2023-01-02 13:13:41 +00:00
switchdev
tipc tipc: fix NULL deref in tipc_link_xmit() 2024-01-12 02:54:56 +00:00
tls iov_iter: Separate type from direction and use accessor functions 2020-01-17 16:08:03 +08:00
unix af_unix: Fix null-ptr-deref in unix_stream_sendpage(). 2023-09-13 11:53:43 +00:00
vmw_vsock vsock: Fix memory leak in vsock_connect() 2022-12-05 03:10:01 +00:00
wimax
wireless cfg80211: mitigate A-MSDU aggregation attacks 2021-10-28 19:22:01 +08:00
x25 net/x25: Fix null-ptr-deref caused by x25_disconnect 2022-12-05 03:04:04 +00:00
xdp xsk: Restructure/inline XSKMAP lookup/redirect/flush 2024-02-23 14:16:16 +08:00
xfrm xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() 2022-11-01 03:09:35 +00:00
Kconfig bpf, sockmap: convert to generic sk_msg interface 2023-08-08 08:03:40 +00:00
Makefile net: split out functions related to registering inflight socket files 2020-01-17 16:08:16 +08:00
compat.c net: abstract out normal and compat msghdr import 2020-06-04 11:33:53 +08:00
socket.c bpf: implement getsockopt and setsockopt hooks 2024-01-23 08:14:30 +00:00
sysctl_net.c