* [PATCH v4.19.y] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
@ 2024-02-05 4:44 Ajay Kaher
2024-02-05 4:44 ` [PATCH v5.4.y] " Ajay Kaher
0 siblings, 1 reply; 3+ messages in thread
From: Ajay Kaher @ 2024-02-05 4:44 UTC (permalink / raw)
To: stable, gregkh
Cc: pablo, kadlec, fw, davem, netfilter-devel, coreteam, netdev,
linux-kernel, alexey.makhalov, florian.fainelli,
vasavi.sirnapalli, Ajay Kaher, Dan Carpenter, Sasha Levin
From: Dan Carpenter <dan.carpenter@linaro.org>
commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream.
The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on... On each
iteration we are writing 8 bytes. But dst[] is an array of u32 so each
element only has space for 4 bytes. That means that every iteration
overwrites part of the previous element.
I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue. I think that the reason we have not detected this bug in testing
is that most of time we only write one element.
Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[Ajay: Modified to apply on v4.19.y]
Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com>
---
net/netfilter/nft_byteorder.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c
index dba1612..8c4ee49 100644
--- a/net/netfilter/nft_byteorder.c
+++ b/net/netfilter/nft_byteorder.c
@@ -41,19 +41,20 @@ static void nft_byteorder_eval(const struct nft_expr *expr,
switch (priv->size) {
case 8: {
+ u64 *dst64 = (void *)dst;
u64 src64;
switch (priv->op) {
case NFT_BYTEORDER_NTOH:
for (i = 0; i < priv->len / 8; i++) {
src64 = get_unaligned((u64 *)&src[i]);
- put_unaligned_be64(src64, &dst[i]);
+ put_unaligned_be64(src64, &dst64[i]);
}
break;
case NFT_BYTEORDER_HTON:
for (i = 0; i < priv->len / 8; i++) {
src64 = get_unaligned_be64(&src[i]);
- put_unaligned(src64, (u64 *)&dst[i]);
+ put_unaligned(src64, &dst64[i]);
}
break;
}
--
2.7.4
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH v5.4.y] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2024-02-05 4:44 [PATCH v4.19.y] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() Ajay Kaher @ 2024-02-05 4:44 ` Ajay Kaher 2024-02-21 10:57 ` Greg KH 0 siblings, 1 reply; 3+ messages in thread From: Ajay Kaher @ 2024-02-05 4:44 UTC (permalink / raw) To: stable, gregkh Cc: pablo, kadlec, fw, davem, netfilter-devel, coreteam, netdev, linux-kernel, alexey.makhalov, florian.fainelli, vasavi.sirnapalli, Dan Carpenter, Sasha Levin, Ajay Kaher From: Dan Carpenter <dan.carpenter@linaro.org> commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream. The problem is in nft_byteorder_eval() where we are iterating through a loop and writing to dst[0], dst[1], dst[2] and so on... On each iteration we are writing 8 bytes. But dst[] is an array of u32 so each element only has space for 4 bytes. That means that every iteration overwrites part of the previous element. I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: nf_tables: prevent OOB access in nft_byteorder_eval") which is a related issue. I think that the reason we have not detected this bug in testing is that most of time we only write one element. Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> [Ajay: Modified to apply on v5.4.y] Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com> --- include/net/netfilter/nf_tables.h | 4 ++-- net/netfilter/nft_byteorder.c | 5 +++-- net/netfilter/nft_meta.c | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 0a49d44..cf314ce 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -130,9 +130,9 @@ static inline u16 nft_reg_load16(u32 *sreg) return *(u16 *)sreg; } -static inline void nft_reg_store64(u32 *dreg, u64 val) +static inline void nft_reg_store64(u64 *dreg, u64 val) { - put_unaligned(val, (u64 *)dreg); + put_unaligned(val, dreg); } static inline u64 nft_reg_load64(u32 *sreg) diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c index 7b0b8fe..9d250bd 100644 --- a/net/netfilter/nft_byteorder.c +++ b/net/netfilter/nft_byteorder.c @@ -38,20 +38,21 @@ void nft_byteorder_eval(const struct nft_expr *expr, switch (priv->size) { case 8: { + u64 *dst64 = (void *)dst; u64 src64; switch (priv->op) { case NFT_BYTEORDER_NTOH: for (i = 0; i < priv->len / 8; i++) { src64 = nft_reg_load64(&src[i]); - nft_reg_store64(&dst[i], be64_to_cpu(src64)); + nft_reg_store64(&dst64[i], be64_to_cpu(src64)); } break; case NFT_BYTEORDER_HTON: for (i = 0; i < priv->len / 8; i++) { src64 = (__force __u64) cpu_to_be64(nft_reg_load64(&src[i])); - nft_reg_store64(&dst[i], src64); + nft_reg_store64(&dst64[i], src64); } break; } diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index ec2798f..ac7d3c7 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -247,7 +247,7 @@ void nft_meta_get_eval(const struct nft_expr *expr, strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ); break; case NFT_META_TIME_NS: - nft_reg_store64(dest, ktime_get_real_ns()); + nft_reg_store64((u64 *)dest, ktime_get_real_ns()); break; case NFT_META_TIME_DAY: nft_reg_store8(dest, nft_meta_weekday(ktime_get_real_seconds())); -- 2.7.4 ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v5.4.y] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2024-02-05 4:44 ` [PATCH v5.4.y] " Ajay Kaher @ 2024-02-21 10:57 ` Greg KH 0 siblings, 0 replies; 3+ messages in thread From: Greg KH @ 2024-02-21 10:57 UTC (permalink / raw) To: Ajay Kaher Cc: stable, pablo, kadlec, fw, davem, netfilter-devel, coreteam, netdev, linux-kernel, alexey.makhalov, florian.fainelli, vasavi.sirnapalli, Dan Carpenter, Sasha Levin On Mon, Feb 05, 2024 at 10:14:53AM +0530, Ajay Kaher wrote: > From: Dan Carpenter <dan.carpenter@linaro.org> > > commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream. > > The problem is in nft_byteorder_eval() where we are iterating through a > loop and writing to dst[0], dst[1], dst[2] and so on... On each > iteration we are writing 8 bytes. But dst[] is an array of u32 so each > element only has space for 4 bytes. That means that every iteration > overwrites part of the previous element. > > I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: > nf_tables: prevent OOB access in nft_byteorder_eval") which is a related > issue. I think that the reason we have not detected this bug in testing > is that most of time we only write one element. > > Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > Signed-off-by: Sasha Levin <sashal@kernel.org> > [Ajay: Modified to apply on v5.4.y] > Signed-off-by: Ajay Kaher <ajay.kaher@broadcom.com> > --- All now queued up, thanks. greg k-h ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-02-21 10:57 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-02-05 4:44 [PATCH v4.19.y] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() Ajay Kaher 2024-02-05 4:44 ` [PATCH v5.4.y] " Ajay Kaher 2024-02-21 10:57 ` Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox