From patchwork Thu Feb 1 19:51:06 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1894180 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TQqKV4MGHz23h9 for ; Fri, 2 Feb 2024 06:51:25 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rVd5g-0004aH-T5; Thu, 01 Feb 2024 19:51:16 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rVd5c-0004Zt-ON for kernel-team@lists.ubuntu.com; Thu, 01 Feb 2024 19:51:12 +0000 Received: from mail-il1-f199.google.com (mail-il1-f199.google.com [209.85.166.199]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id D60363FE45 for ; Thu, 1 Feb 2024 19:51:11 +0000 (UTC) Received: by mail-il1-f199.google.com with SMTP id e9e14a558f8ab-3637bac1526so11346595ab.3 for ; Thu, 01 Feb 2024 11:51:11 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706817069; x=1707421869; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q7IVVMkA0NN/imAZslBV4OEEoWMO/4nxkgbPOSsuyW4=; b=f8wlgNzGNBbzmhhQcZBEQc9iab/PQcLgNMJTKGffxr3AMErqxywki97LWFIPWeA0Da XnTyYKPL2mmbBL1/YXUzx7K/W8g2wN8Uw7+N2HeWpDiDGe3w8+HSRGPBVznJziX0D3H7 SBpdQQVH6u1CbvnwA3B57CXOmecxqbzMP7p+8MlpvL8H+lDNq7uH5LAHsMYIJM0PErpE TF8wMqrHlgEnO3A41MjngEcR4qePSndmN7T+AboUA3KBuU2+1Kj9ItUPj8ZKM4YlKGyB 9q+rUqSoTUziWVOJ8khoZpPFeBnEsTIu4L4KxI4Nf8mY1HA233OSS0B6bg5Wn04+ymt1 lDnQ== X-Gm-Message-State: AOJu0YyXhSz34fMfOfO9JJPSsVcaI3xMrI/9xdoAdl5A6NRbWU5gILjB iX+ZMFBXp+kzukHRcXsirFtsRqqMNWoPhEbEGJ/DtQ9nZMoJY2g15l2IV+xR5KKThAQZUb2077R THLS5qsLhj3yZMSMeCd4wyXGXKyHplb4A7oAJLfStt0G0cCMC3P/wWmdm/lYbrXrTOsybFfwWSj 9IeZ+waaU7AA== X-Received: by 2002:a05:6e02:8e6:b0:363:853b:9e4f with SMTP id n6-20020a056e0208e600b00363853b9e4fmr7419259ilt.0.1706817069104; Thu, 01 Feb 2024 11:51:09 -0800 (PST) X-Google-Smtp-Source: AGHT+IHxrl8xobzDIfC0RuyKHEGmLRJvNPas6AECEv1Xt+INheSXcEAsGXNgHyD+blSH5yv5mSpORg== X-Received: by 2002:a05:6e02:8e6:b0:363:853b:9e4f with SMTP id n6-20020a056e0208e600b00363853b9e4fmr7419244ilt.0.1706817068836; Thu, 01 Feb 2024 11:51:08 -0800 (PST) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id f12-20020a056e0212ac00b003639cb9ef1bsm102041ilr.57.2024.02.01.11.51.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 01 Feb 2024 11:51:08 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Focal][PATCH 1/1] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() Date: Thu, 1 Feb 2024 13:51:06 -0600 Message-Id: <20240201195106.26487-2-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240201195106.26487-1-bethany.jamison@canonical.com> References: <20240201195106.26487-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Dan Carpenter The problem is in nft_byteorder_eval() where we are iterating through a loop and writing to dst[0], dst[1], dst[2] and so on... On each iteration we are writing 8 bytes. But dst[] is an array of u32 so each element only has space for 4 bytes. That means that every iteration overwrites part of the previous element. I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: nf_tables: prevent OOB access in nft_byteorder_eval") which is a related issue. I think that the reason we have not detected this bug in testing is that most of time we only write one element. Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") Signed-off-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso (backported from commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63) [bjamison: code is structured differently in upstream - found the relevent chunks of code and implemented the changes from the fix commit] CVE-2024-0607 Signed-off-by: Bethany Jamison --- include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nft_byteorder.c | 5 +++-- net/netfilter/nft_meta.c | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 8e5d88e21e47..b746a77087bd 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -130,9 +130,9 @@ static inline u16 nft_reg_load16(u32 *sreg) return *(u16 *)sreg; } -static inline void nft_reg_store64(u32 *dreg, u64 val) +static inline void nft_reg_store64(u64 *dreg, u64 val) { - put_unaligned(val, (u64 *)dreg); + put_unaligned(val, dreg); } static inline u64 nft_reg_load64(u32 *sreg) diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c index 7b0b8fecb220..9d250bd60bb8 100644 --- a/net/netfilter/nft_byteorder.c +++ b/net/netfilter/nft_byteorder.c @@ -38,20 +38,21 @@ void nft_byteorder_eval(const struct nft_expr *expr, switch (priv->size) { case 8: { + u64 *dst64 = (void *)dst; u64 src64; switch (priv->op) { case NFT_BYTEORDER_NTOH: for (i = 0; i < priv->len / 8; i++) { src64 = nft_reg_load64(&src[i]); - nft_reg_store64(&dst[i], be64_to_cpu(src64)); + nft_reg_store64(&dst64[i], be64_to_cpu(src64)); } break; case NFT_BYTEORDER_HTON: for (i = 0; i < priv->len / 8; i++) { src64 = (__force __u64) cpu_to_be64(nft_reg_load64(&src[i])); - nft_reg_store64(&dst[i], src64); + nft_reg_store64(&dst64[i], src64); } break; } diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index ec2798ff822e..ac7d3c78501b 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -247,7 +247,7 @@ void nft_meta_get_eval(const struct nft_expr *expr, strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ); break; case NFT_META_TIME_NS: - nft_reg_store64(dest, ktime_get_real_ns()); + nft_reg_store64((u64 *)dest, ktime_get_real_ns()); break; case NFT_META_TIME_DAY: nft_reg_store8(dest, nft_meta_weekday(ktime_get_real_seconds()));