iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Florian Westphal cf39c4f77a netfilter: nftables: exthdr: fix 4-byte stack OOB write 
commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-07-05 09:08:20 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:47:31 +02:00
9p
net/9p: fix uninit-value in p9_client_rpc()
2024-06-16 13:28:51 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-18 11:41:37 +01:00
8021q
vlan: skip nested type that is not IFLA_VLAN_QOS_MAPPING
2024-02-23 08:24:50 +01:00
appletalk
appletalk: Fix Use-After-Free in atalk_ioctl
2023-12-20 15:41:18 +01:00
atm
atm: Fix Use-After-Free in do_vcc_ioctl
2023-12-20 15:41:15 +01:00
ax25
ax25: Fix UAF bugs in ax25 timers
2022-04-20 09:19:40 +02:00
batman-adv
batman-adv: Avoid infinite loop trying to resize local TT
2024-05-02 16:18:28 +02:00
bluetooth
Bluetooth: L2CAP: Fix rejecting L2CAP_CONN_PARAM_UPDATE_REQ
2024-07-05 09:08:17 +02:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-18 11:41:04 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:53:33 +02:00
bridge
net: bridge: fix corrupted ethernet header on multicast-to-unicast
2024-05-17 11:43:54 +02:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:32:51 +01:00
can
can: j1939: Fix UAF in j1939_sk_match_filter during setsockopt(SO_J1939_FILTER)
2024-02-23 08:25:13 +01:00
ceph
libceph: use kernel_connect()
2023-10-25 11:53:19 +02:00
core
net: fix out-of-bounds access in ops_init
2024-05-17 11:43:55 +02:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-11 11:53:57 +02:00
dccp
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
2023-11-20 10:30:15 +01:00
decnet
Remove DECnet support from kernel
2023-06-21 15:44:10 +02:00
dns_resolver
dsa
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
2023-07-27 08:37:24 +02:00
ethernet
ethernet: Add helper for assigning packet type when dest address does not match device address
2024-05-02 16:18:36 +02:00
hsr
hsr: Handle failures in module init
2024-03-26 18:22:25 -04:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:56:54 +09:00
ife
net: sched: ife: fix potential use-after-free
2024-01-08 11:29:44 +01:00
ipv4
tcp: count CLOSE-WAIT sockets for TCP_MIB_CURRESTAB
2024-07-05 09:08:11 +02:00
ipv6
net/ipv6: Fix the RT cache flush via sysctl using a previous delay
2024-07-05 09:08:17 +02:00
iucv
net/iucv: fix the allocation size of iucv_path_table array
2024-03-26 18:22:12 -04:00
kcm
net: kcm: fix incorrect parameter validation in the kcm_getsockopt) function
2024-03-26 18:22:18 -04:00
key
net: af_key: fix sadb_x_filter validation
2023-08-30 16:27:16 +02:00
l2tp
net l2tp: drop flow hash on forward
2024-05-17 11:43:49 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:50:47 +02:00
lapb
net: lapb: Copy the skb before sending a packet
2021-02-10 09:25:28 +01:00
llc
llc: call sock_orphan() at release time
2024-02-23 08:25:04 +01:00
mac80211
wifi: mac80211: Fix deadlock in ieee80211_sta_ps_deliver_wakeup()
2024-07-05 09:08:10 +02:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:30:45 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:50:41 +01:00
ncsi
net/ncsi: Fix netlink major/minor version numbers
2024-01-25 14:34:25 -08:00
netfilter
netfilter: nftables: exthdr: fix 4-byte stack OOB write
2024-07-05 09:08:20 +02:00
netlabel
calipso: fix memory leak in netlbl_calipso_add_pass()
2024-01-25 14:34:23 -08:00
netlink
netlink: Fix kernel-infoleak-after-free in __skb_datagram_iter
2024-03-06 14:36:08 +00:00
netrom
netrom: fix possible dead-lock in nr_rt_ioctl()
2024-06-16 13:28:40 +02:00
nfc
nfc: nci: Fix handling of zero-length payload packets in nci_rx_work()
2024-06-16 13:28:46 +02:00
nsh
nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment().
2024-05-17 11:43:49 +02:00
openvswitch
openvswitch: Set the skbuff pkt_type for proper pmtud support.
2024-06-16 13:28:45 +02:00
packet
af_packet: do not call packet_read_pending() from tpacket_destruct_skb()
2024-06-16 13:28:40 +02:00
phonet
phonet: fix rtm_phonet_notify() skb allocation
2024-05-17 11:43:54 +02:00
psample
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
2023-12-13 18:18:17 +01:00
qrtr
net: qrtr: fix another OOB Read in qrtr_endpoint_post
2021-09-03 10:08:12 +02:00
rds
net/rds: fix possible cp null dereference
2024-04-13 12:51:33 +02:00
rfkill
net: rfkill: gpio: set GPIO direction
2024-01-08 11:29:47 +01:00
rose
net/rose: fix races in rose_kill_by_device()
2024-01-08 11:29:44 +01:00
rxrpc
rxrpc: Fix response to PING RESPONSE ACKs to a dead call
2024-02-23 08:25:07 +01:00
sched
net/sched: taprio: always validate TCA_TAPRIO_ATTR_PRIOMAP
2024-07-05 09:08:11 +02:00
sctp
sctp: update hb timer immediately after users change hb_interval
2023-10-10 21:46:45 +02:00
smc
net/smc: fix illegal rmb_desc access in SMC-D connection dump
2024-02-23 08:24:50 +01:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-17 09:48:48 +01:00
sunrpc
SUNRPC: return proper error from gss_wrap_req_priv
2024-07-05 09:08:16 +02:00
switchdev
net: switchdev: do not propagate bridge updates across bridges
2021-10-27 09:54:24 +02:00
tipc
tipc: fix UAF in error path
2024-05-17 11:43:55 +02:00
tls
tls: stop recv() if initial process_rx_list gave us non-DATA
2024-03-01 13:13:37 +01:00
unix
af_unix: Annotate data-race of sk->sk_shutdown in sk_diag_fill().
2024-07-05 09:08:12 +02:00
vmw_vsock
virtio/vsock: fix logic which reduces credit update messages
2024-01-25 14:34:25 -08:00
wimax
wireless
wifi: cfg80211: pmsr: use correct nla_get_uX functions
2024-07-05 09:08:10 +02:00
x25
net/x25: fix incorrect parameter validation in the x25_getsockopt() function
2024-03-26 18:22:18 -04:00
xdp
xsk: validate user input for XDP_{UMEM|COMPLETION}_FILL_RING
2024-06-16 13:28:52 +02:00
xfrm
net: fix __dst_negative_advice() race
2024-06-16 13:28:52 +02:00
compat.c
net: Return the correct errno code
2021-06-18 09:59:00 +02:00
Kconfig
Remove DECnet support from kernel
2023-06-21 15:44:10 +02:00
Makefile
Remove DECnet support from kernel
2023-06-21 15:44:10 +02:00
socket.c
net: Save and restore msg_namelen in sock_sendmsg
2024-01-15 18:25:26 +01:00
sysctl_net.c