mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net
History
Florian Westphal 779e36a18e netfilter: nfnetlink_queue: fix OOB when mac header was cleared 
[ Upstream commit 5648b5e116 ]

On 64bit platforms the MAC header is set to 0xffff on allocation and
also when a helper like skb_unset_mac_header() is called.

dev_parse_header may call skb_mac_header() which assumes valid mac offset:

 BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90
 Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364
 Call Trace:
  memcpy+0x20/0x60
  eth_header_parse+0x75/0x90
  __nfqnl_enqueue_packet+0x1a61/0x3380
  __nf_queue+0x597/0x1300
  nf_queue+0xf/0x40
  nf_hook_slow+0xed/0x190
  nf_hook+0x184/0x440
  ip_output+0x1c0/0x2a0
  nf_reinject+0x26f/0x700
  nfqnl_recv_verdict+0xa16/0x18b0
  nfnetlink_rcv_msg+0x506/0xe70

The existing code only works if the skb has a mac header.

Fixes: 2c38de4c1f ("netfilter: fix looped (broad|multi)cast's MAC handling")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2021-11-26 11:36:15 +01:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:50:41 +01:00
9p 9p/trans_virtio: Remove sysfs file on probe failure 2021-09-26 13:39:47 +02:00
802 net/802/garp: fix memleak in garp_request_join() 2021-07-31 08:22:37 +02:00
8021q net: vlan: avoid leaks on register_vlan_dev() failures 2021-01-17 14:04:19 +01:00
appletalk appletalk: Fix skb allocation size in loopback case 2021-04-07 12:48:49 +02:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:14:43 +02:00
ax25 AX.25: Prevent integer overflows in connect and sendmsg 2020-07-31 18:37:48 +02:00
batman-adv net: batman-adv: fix error handling 2021-11-02 18:26:45 +01:00
bluetooth Bluetooth: fix init and cleanup of sco_conn.timeout_work 2021-11-26 11:36:07 +01:00
bpf
bpfilter signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig 2020-01-27 14:50:51 +01:00
bridge net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() 2021-10-13 10:10:52 +02:00
caif net-caif: avoid user-triggerable WARN_ON(1) 2021-09-22 11:48:11 +02:00
can can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF 2021-08-04 12:23:45 +02:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:08:53 +01:00
core net: stream: don't purge sk_error_queue in sk_stream_kill_queues() 2021-11-26 11:36:09 +01:00
dcb net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands 2021-01-23 15:49:56 +01:00
dccp dccp: don't duplicate ccid when cloning dccp sock 2021-09-22 11:48:11 +02:00
decnet net: decnet: Fix sleeping inside in af_decnet 2021-07-28 11:13:48 +02:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:30:24 +02:00
dsa net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup 2021-09-22 11:48:12 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
hsr hsr: use netdev_err() instead of WARN_ONCE() 2021-05-22 10:59:24 +02:00
ieee802154 net: Fix memory leak in ieee802154_raw_deliver 2021-08-26 08:36:38 -04:00
ife
ipv4 tcp: don't free a FIN sk_buff in tcp_remove_empty_skb() 2021-11-26 11:36:11 +01:00
ipv6 gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE 2021-11-26 11:36:07 +01:00
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:18:52 +01:00
kcm
key af_key: relax availability checks for skb size calculation 2021-02-13 13:51:14 +01:00
l2tp net/l2tp: Fix reference count leak in l2tp_udp_recv_core 2021-09-22 11:48:11 +02:00
l3mdev
lapb net: lapb: Copy the skb before sending a packet 2021-02-10 09:21:06 +01:00
llc net: llc: fix skb_over_panic 2021-08-04 12:23:46 +02:00
mac80211 mac80211: check return value of rhashtable_init 2021-10-17 10:19:49 +02:00
mac802154 net: mac802154: Fix general protection fault 2021-04-14 08:22:36 +02:00
mpls net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 2021-03-17 16:43:43 +01:00
ncsi net/ncsi: Avoid channel_monitor hrtimer deadlock 2021-04-14 08:22:35 +02:00
netfilter netfilter: nfnetlink_queue: fix OOB when mac header was cleared 2021-11-26 11:36:15 +01:00
netlabel net: fix NULL pointer reference in cipso_v4_doi_free 2021-09-22 11:48:09 +02:00
netlink netlink: annotate data races around nlk->bound 2021-10-13 10:10:52 +02:00
netrom netrom: Decrease sock refcount when sock timers expire 2021-07-28 11:13:48 +02:00
nfc nfc: nci: fix the UAF of rf_conn_info object 2021-10-27 09:53:14 +02:00
nsh
openvswitch openvswitch: meter: fix race when getting now_ms. 2021-06-03 08:38:11 +02:00
packet net/packet: annotate accesses to po->ifindex 2021-06-30 08:48:31 -04:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 09:21:30 +01:00
qrtr net: qrtr: fix another OOB Read in qrtr_endpoint_post 2021-09-03 09:58:00 +02:00
rds net/rds: dma_map_sg is entitled to merge entries 2021-09-03 09:58:02 +02:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:17:17 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:18:52 +01:00
rxrpc rxrpc: Fix deadlock around release of dst cached on udp tunnel 2021-02-10 09:21:06 +01:00
sched net: sched: update default qdisc visibility after Tx queue cnt changes 2021-11-26 11:36:04 +01:00
sctp sctp: add vtag check in sctp_sf_ootb 2021-11-02 18:26:46 +01:00
smc net/smc: add missing error check in smc_clc_prfx_set() 2021-10-06 15:31:13 +02:00
strparser
sunrpc rpc: fix gss_svc_init cleanup on failure 2021-09-22 11:48:07 +02:00
switchdev
tipc tipc: increase timeout in tipc_sk_enqueue() 2021-09-22 11:48:11 +02:00
tls net/tls: Protect from calling tls_dev_del for TLS RX twice 2020-12-08 10:18:52 +01:00
unix af_unix: fix races in sk_peer_pid and sk_peer_cred accesses 2021-10-06 15:31:24 +02:00
vmw_vsock vsock/virtio: avoid potential deadlock when vsock device remove 2021-08-26 08:36:39 -04:00
wimax
wireless cfg80211: Fix possible memory leak in function cfg80211_bss_update 2021-08-04 12:23:45 +02:00
x25 net/x25: Return the correct errno code 2021-06-30 08:48:13 -04:00
xdp xsk: Simplify detection of empty and full rings 2021-05-22 10:59:48 +02:00
xfrm xfrm: Fix error reporting in xfrm_state_construct. 2021-07-20 16:16:01 +02:00
Kconfig
Makefile net: split out functions related to registering inflight socket files 2021-07-31 08:22:37 +02:00
compat.c net: Return the correct errno code 2021-06-30 08:48:13 -04:00
socket.c net: don't unconditionally copy_from_user a struct ifreq for socket ioctls 2021-09-03 09:58:03 +02:00
sysctl_net.c