[PATCH net 2/6] netfilter: nfnetlink_osf: avoid OOB read

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen•de>
To: <netdev@vger•kernel.org>
Cc: Paolo Abeni <pabeni@redhat•com>,
	"David S. Miller" <davem@davemloft•net>,
	Eric Dumazet <edumazet@google•com>,
	Jakub Kicinski <kuba@kernel•org>,
	<netfilter-devel@vger•kernel.org>,
	Wander Lairson Costa <wander@redhat•com>,
	Lucas Leong <wmliang@infosec•exchange>
Subject: [PATCH net 2/6] netfilter: nfnetlink_osf: avoid OOB read
Date: Wed,  6 Sep 2023 18:25:08 +0200	[thread overview]
Message-ID: <20230906162525.11079-3-fw@strlen.de> (raw)
In-Reply-To: <20230906162525.11079-1-fw@strlen.de>

From: Wander Lairson Costa <wander@redhat•com>

The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.

BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
Read of size 2 at addr ffff88804bc64272 by task poc/6431

CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
Call Trace:
 nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
 nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
 nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
 expr_call_ops_eval net/netfilter/nf_tables_core.c:214
 nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
 nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
 [..]

Also add validation to genre, subtype and version fields.

Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Lucas Leong <wmliang@infosec•exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat•com>
Signed-off-by: Florian Westphal <fw@strlen•de>
---
 net/netfilter/nfnetlink_osf.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 8f1bfa6ccc2d..50723ba08289 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -315,6 +315,14 @@ static int nfnl_osf_add_callback(struct sk_buff *skb,
 
 	f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
 
+	if (f->opt_num > ARRAY_SIZE(f->opt))
+		return -EINVAL;
+
+	if (!memchr(f->genre, 0, MAXGENRELEN) ||
+	    !memchr(f->subtype, 0, MAXGENRELEN) ||
+	    !memchr(f->version, 0, MAXGENRELEN))
+		return -EINVAL;
+
 	kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
 	if (!kf)
 		return -ENOMEM;
-- 
2.41.0

next prev parent reply	other threads:[~2023-09-06 16:25 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-06 16:25 [PATCH net 0/6] netfilter updates for net Florian Westphal
2023-09-06 16:25 ` [PATCH net 1/6] netfilter: nftables: exthdr: fix 4-byte stack OOB write Florian Westphal
2023-09-07 10:40   ` patchwork-bot+netdevbpf
2023-09-06 16:25 ` Florian Westphal [this message]
2023-09-06 16:25 ` [PATCH net 3/6] netfilter: nf_tables: uapi: Describe NFTA_RULE_CHAIN_ID Florian Westphal
2023-09-06 16:25 ` [PATCH net 4/6] netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction Florian Westphal
2023-09-06 16:25 ` [PATCH net 5/6] netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c Florian Westphal
2023-09-06 16:25 ` [PATCH net 6/6] netfilter: nf_tables: Unbreak audit log reset Florian Westphal
2023-09-06 21:41   ` Phil Sutter
2023-09-06 22:41     ` Florian Westphal
2023-09-07 10:30       ` Phil Sutter

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:8f1bfa6ccc2 dfblob:50723ba0828 )
 OR (
bs:"[PATCH net 2/6] netfilter: nfnetlink_osf: avoid OOB read" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230906162525.11079-3-fw@strlen.de \
    --to=fw@strlen$(echo .)de \
    --cc=davem@davemloft$(echo .)net \
    --cc=edumazet@google$(echo .)com \
    --cc=kuba@kernel$(echo .)org \
    --cc=netdev@vger$(echo .)kernel.org \
    --cc=netfilter-devel@vger$(echo .)kernel.org \
    --cc=pabeni@redhat$(echo .)com \
    --cc=wander@redhat$(echo .)com \
    --cc=wmliang@infosec$(echo .)exchange \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox