iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/net
History
Florian Westphal a7d86a77c3 netfilter: nftables: exthdr: fix 4-byte stack OOB write 
commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.

If priv->len is a multiple of 4, then dst[len / 4] can write past
the destination array which leads to stack corruption.

This construct is necessary to clean the remainder of the register
in case ->len is NOT a multiple of the register size, so make it
conditional just like nft_payload.c does.

The bug was added in 4.1 cycle and then copied/inherited when
tcp/sctp and ip option support was added.

Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
ZDI-CAN-21951, ZDI-CAN-21961).

Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-10-10 21:53:40 +02:00
..
6lowpan
6lowpan: iphc: Fix an off-by-one check of array index
2021-09-15 09:50:34 +02:00
9p
9p: virtio: make sure 'offs' is initialized in zc_request
2023-09-19 12:20:04 +02:00
802
mrp: introduce active flags to prevent UAF when applicant uninit
2023-01-14 10:16:18 +01:00
8021q
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-30 12:57:53 +01:00
appletalk
atm
atm: hide unused procfs functions
2023-06-09 10:30:12 +02:00
ax25
net: ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg
2022-06-22 14:13:17 +02:00
batman-adv
batman-adv: Hold rtnl lock during MTU update via netlink
2023-08-30 16:23:16 +02:00
bluetooth
Bluetooth: Fix potential use-after-free when clear keys
2023-09-19 12:20:08 +02:00
bpf
bpf: Move skb->len == 0 checks into __bpf_redirect
2023-01-14 10:15:31 +01:00
bpfilter
bpfilter: Specify the log level for the kmsg message
2021-07-14 16:56:29 +02:00
bridge
net: bridge: use DEV_STATS_INC()
2023-10-10 21:53:28 +02:00
caif
net: caif: Fix use-after-free in cfusbl_device_notify()
2023-03-17 08:45:11 +01:00
can
can: bcm: Fix UAF in bcm_proc_show()
2023-07-27 08:44:35 +02:00
ceph
libceph, rbd: ignore addr->type while comparing in some cases
2023-08-30 16:23:11 +02:00
core
net: fix possible store tearing in neigh_periodic_work()
2023-10-10 21:53:38 +02:00
dcb
net: dcb: choose correct policy to parse DCB_ATTR_BCN
2023-08-11 11:57:50 +02:00
dccp
dccp: fix dccp_v4_err()/dccp_v6_err() again
2023-10-10 21:53:27 +02:00
decnet
Remove DECnet support from kernel
2023-06-21 15:45:38 +02:00
dns_resolver
dsa
net: dsa: tag_sja1105: fix MAC DA patching from meta frames
2023-07-27 08:44:10 +02:00
ethernet
ethtool
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
2023-01-24 07:19:55 +01:00
hsr
hsr: Fix uninit-value access in fill_frame_info()
2023-09-19 12:20:29 +02:00
ieee802154
net: ieee802154: fix error return code in dgram_bind()
2022-11-03 23:57:51 +09:00
ife
ipv4
tcp: fix delayed ACKs for MSS boundary condition
2023-10-10 21:53:39 +02:00
ipv6
netfilter: nf_tables: add and use nft_sk helper
2023-10-10 21:53:29 +02:00
iucv
net/iucv: Fix size of interrupt data
2023-03-22 13:30:00 +01:00
kcm
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
2023-09-19 12:20:30 +02:00
key
net: af_key: fix sadb_x_filter validation
2023-08-26 15:26:51 +02:00
l2tp
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
2023-10-10 21:53:38 +02:00
l3mdev
l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu
2022-04-27 13:53:50 +02:00
lapb
llc
llc: Don't drop packet from non-root netns.
2023-07-27 08:44:40 +02:00
mac80211
wifi: mac80211: fix min center freq offset tracing
2023-05-30 12:57:53 +01:00
mac802154
mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
2022-12-14 11:32:01 +01:00
mpls
net: mpls: fix stale pointer if allocation fails during device rename
2023-02-22 12:55:58 +01:00
mptcp
inet6: Remove inet6_destroy_sock() in sk->sk_prot->destroy().
2023-04-26 11:27:41 +02:00
ncsi
ncsi: Propagate carrier gain/loss events to the NCSI controller
2023-10-10 21:53:33 +02:00
netfilter
netfilter: nftables: exthdr: fix 4-byte stack OOB write
2023-10-10 21:53:40 +02:00
netlabel
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
2023-09-19 12:20:05 +02:00
netlink
netlink: Add __sock_i_ino() for __netlink_diag_dump().
2023-07-27 08:43:43 +02:00
netrom
netrom: Deny concurrent connect().
2023-09-19 12:20:10 +02:00
nfc
net: nfc: llcp: Add lock when modifying device list
2023-10-10 21:53:38 +02:00
nsh
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-30 12:57:52 +01:00
openvswitch
net: openvswitch: fix possible memory leak in ovs_meter_cmd_set()
2023-02-22 12:55:57 +01:00
packet
net/packet: annotate data-races around tp->status
2023-08-16 18:21:01 +02:00
phonet
phonet: refcount leak in pep_sock_accep
2022-01-11 15:25:01 +01:00
psample
qrtr
net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume()
2023-04-20 12:10:26 +02:00
rds
net: replace calls to sock->ops->connect() with kernel_connect()
2023-10-10 21:53:37 +02:00
rfkill
rose
net/rose: Fix to not accept on connected socket
2023-02-22 12:55:53 +01:00
rxrpc
rxrpc: Fix hard call timeout units
2023-05-17 11:48:11 +02:00
sched
net/sched: Retire rsvp classifier
2023-09-23 11:01:10 +02:00
sctp
sctp: update hb timer immediately after users change hb_interval
2023-10-10 21:53:39 +02:00
smc
net/smc: use smc_lgr_list.lock to protect smc_lgr_list.list iterate in smcr_port_add
2023-09-19 12:20:29 +02:00
strparser
bpf: sockmap, strparser, and tls are reusing qdisc_skb_cb and colliding
2021-11-18 14:04:27 +01:00
sunrpc
Revert "SUNRPC dont update timeout value on connection reset"
2023-10-10 21:53:35 +02:00
switchdev
tipc
tipc: fix a potential deadlock on &tx->lock
2023-10-10 21:53:38 +02:00
tls
net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict()
2023-09-19 12:20:30 +02:00
unix
af_unix: Fix data-race around unix_tot_inflight.
2023-09-19 12:20:26 +02:00
vmw_vsock
vsock: avoid to close connected socket after the timeout
2023-05-30 12:57:52 +01:00
wimax
wireless
wifi: cfg80211: Fix return value in scan logic
2023-08-11 11:57:47 +02:00
x25
net/x25: Fix to not accept on connected socket
2023-02-15 17:22:15 +01:00
xdp
xsk: Honor SO_BINDTODEVICE on bind
2023-07-27 08:44:09 +02:00
xfrm
xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
2023-08-26 15:26:52 +02:00
compat.c
net: Return the correct errno code
2021-06-18 10:00:06 +02:00
devres.c
Kconfig
Remove DECnet support from kernel
2023-06-21 15:45:38 +02:00
Makefile
Remove DECnet support from kernel
2023-06-21 15:45:38 +02:00
socket.c
net: prevent rewrite of msg_name in sock_sendmsg()
2023-10-10 21:53:37 +02:00
sysctl_net.c