hamza.kesraoui/sst-linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a1.2
sst-linux/net/netfilter
History
Lin Ma 21748669c5 net: fix geneve_opt length integer overflow 
[ Upstream commit b27055a08ad4b415dcf15b63034f9cb236f7fb40 ]

struct geneve_opt uses 5 bit length for each single option, which
means every vary size option should be smaller than 128 bytes.

However, all current related Netlink policies cannot promise this
length condition and the attacker can exploit a exact 128-byte size
option to *fake* a zero length option and confuse the parsing logic,
further achieve heap out-of-bounds read.

One example crash log is like below:

[    3.905425] ==================================================================
[    3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
[    3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
[    3.906646]
[    3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
[    3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[    3.907784] Call Trace:
[    3.907925]  <TASK>
[    3.908048]  dump_stack_lvl+0x44/0x5c
[    3.908258]  print_report+0x184/0x4be
[    3.909151]  kasan_report+0xc5/0x100
[    3.909539]  kasan_check_range+0xf3/0x1a0
[    3.909794]  memcpy+0x1f/0x60
[    3.909968]  nla_put+0xa9/0xe0
[    3.910147]  tunnel_key_dump+0x945/0xba0
[    3.911536]  tcf_action_dump_1+0x1c1/0x340
[    3.912436]  tcf_action_dump+0x101/0x180
[    3.912689]  tcf_exts_dump+0x164/0x1e0
[    3.912905]  fw_dump+0x18b/0x2d0
[    3.913483]  tcf_fill_node+0x2ee/0x460
[    3.914778]  tfilter_notify+0xf4/0x180
[    3.915208]  tc_new_tfilter+0xd51/0x10d0
[    3.918615]  rtnetlink_rcv_msg+0x4a2/0x560
[    3.919118]  netlink_rcv_skb+0xcd/0x200
[    3.919787]  netlink_unicast+0x395/0x530
[    3.921032]  netlink_sendmsg+0x3d0/0x6d0
[    3.921987]  __sock_sendmsg+0x99/0xa0
[    3.922220]  __sys_sendto+0x1b7/0x240
[    3.922682]  __x64_sys_sendto+0x72/0x90
[    3.922906]  do_syscall_64+0x5e/0x90
[    3.923814]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8
[    3.924122] RIP: 0033:0x7e83eab84407
[    3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
[    3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[    3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
[    3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
[    3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
[    3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
[    3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8

Fix these issues by enforing correct length condition in related
policies.

Fixes: 925d844696 ("netfilter: nft_tunnel: add support for geneve opts")
Fixes: 4ece477870 ("lwtunnel: add options setting and dumping for geneve")
Fixes: 0ed5269f9e ("net/sched: add tunnel option support to act_tunnel_key")
Fixes: 0a6e77784f ("net/sched: allow flower to match tunnel options")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Link: https://patch.msgid.link/20250402165632.6958-1-linma@zju.edu.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2025-04-10 14:33:41 +02:00
..
ipset netfilter: ipset: Fix for recursive locking warning 2024-12-27 13:52:55 +01:00
ipvs ipvs: prevent integer overflow in do_ip_vs_get_ctl() 2025-03-28 21:58:49 +01:00
core.c netfilter: let reset rules clean out conntrack entries 2024-03-06 14:45:08 +00:00
Kconfig
Makefile
nf_conncount.c netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() 2025-03-28 21:58:49 +01:00
nf_conntrack_acct.c
nf_conntrack_amanda.c
nf_conntrack_bpf.c netfilter, bpf: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry() 2023-10-06 14:56:38 +02:00
nf_conntrack_broadcast.c
nf_conntrack_core.c netfilter: allow exp not to be removed in nf_ct_find_expectation 2025-03-07 16:56:41 +01:00
nf_conntrack_ecache.c netfilter: ctnetlink: make event listener tracking global 2023-03-11 13:55:24 +01:00
nf_conntrack_expect.c netfilter: allow exp not to be removed in nf_ct_find_expectation 2025-03-07 16:56:41 +01:00
nf_conntrack_extend.c netfilter: conntrack: fix extension size table 2023-10-06 14:56:36 +02:00
nf_conntrack_ftp.c
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: Add protection for bmp length out of range 2024-03-15 10:48:16 -04:00
nf_conntrack_h323_main.c
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: Avoid nf_ct_helper_hash uses after free 2023-07-19 16:22:16 +02:00
nf_conntrack_irc.c
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: ctnetlink: compile ctnetlink_label_size with CONFIG_NF_CONNTRACK_EVENTS 2024-10-17 15:21:14 +02:00
nf_conntrack_pptp.c
nf_conntrack_proto_dccp.c netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one 2023-07-19 16:21:13 +02:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c
nf_conntrack_proto_icmp.c
nf_conntrack_proto_icmpv6.c
nf_conntrack_proto_sctp.c netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new 2024-03-01 13:26:27 +01:00
nf_conntrack_proto_tcp.c netfilter: let reset rules clean out conntrack entries 2024-03-06 14:45:08 +00:00
nf_conntrack_proto_udp.c
nf_conntrack_proto.c
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. 2023-07-19 16:21:13 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: conntrack: fix possible bug_on with enable_hooks=1 2023-05-24 17:32:32 +01:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c
nf_flow_table_core.c netfilter: nft_flow_offload: release dst in case direct xmit path is used 2024-03-01 13:26:37 +01:00
nf_flow_table_inet.c netfilter: flowtable: validate vlan header 2024-08-29 17:30:47 +02:00
nf_flow_table_ip.c netfilter: flowtable: validate vlan header 2024-08-29 17:30:47 +02:00
nf_flow_table_offload.c netfilter: flowtable: initialise extack before use 2024-08-29 17:30:25 +02:00
nf_flow_table_procfs.c
nf_hooks_lwtunnel.c
nf_internals.h
nf_log_syslog.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-25 15:27:51 -08:00
nf_log.c netfilter: nf_log: replace BUG_ON by WARN_ON_ONCE when putting logger 2024-02-05 20:13:02 +00:00
nf_nat_amanda.c
nf_nat_bpf.c
nf_nat_core.c
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c
nf_nat_proto.c
nf_nat_redirect.c netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses 2023-11-20 11:52:17 +01:00
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-25 15:27:51 -08:00
nf_sockopt.c
nf_synproxy_core.c
nf_tables_api.c netfilter: nf_tables: reject mismatching sum of field_len with set key length 2025-02-21 13:49:25 +01:00
nf_tables_core.c netfilter: nf_tables: set transport offset from mac header for netdev/egress 2024-01-10 17:10:21 +01:00
nf_tables_offload.c
nf_tables_trace.c
nfnetlink_acct.c
nfnetlink_cthelper.c
nfnetlink_cttimeout.c
nfnetlink_hook.c
nfnetlink_log.c netfilter: nfnetlink_log: use proper helper for fetching physinif 2024-01-25 15:27:50 -08:00
nfnetlink_osf.c netfilter: nfnetlink_osf: avoid OOB read 2023-09-19 12:28:03 +02:00
nfnetlink_queue.c netfilter: nf_queue: drop packets with cloned unconfirmed conntracks 2024-08-29 17:30:25 +02:00
nfnetlink.c netfilter: nfnetlink: skip error delivery on batch in case of ENOMEM 2023-06-21 16:00:58 +02:00
nft_bitwise.c netfilter: nft_bitwise: fix register tracking 2023-06-14 11:15:20 +02:00
nft_byteorder.c netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2023-11-28 17:07:05 +00:00
nft_chain_filter.c netfilter: nf_tables: honor table dormant flag from netdev release event path 2024-05-02 16:29:26 +02:00
nft_chain_nat.c
nft_chain_route.c
nft_cmp.c
nft_compat.c netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() 2024-03-06 14:45:08 +00:00
nft_connlimit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_counter.c netfilter: nft_counter: Use u64_stats_t for statistic. 2025-03-28 21:59:01 +01:00
nft_ct.c netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. 2025-03-28 21:58:48 +01:00
nft_dup_netdev.c
nft_dynset.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_exthdr.c netfilter: nft_exthdr: fix offset with ipv4_find_option() 2025-03-28 21:58:50 +01:00
nft_fib_inet.c
nft_fib_netdev.c
nft_fib.c netfilter: nft_fib: allow from forward/input without iif selector 2024-06-12 11:03:58 +02:00
nft_flow_offload.c netfilter: nft_flow_offload: update tcp state flags under lock 2025-02-21 13:49:06 +01:00
nft_fwd_netdev.c
nft_hash.c
nft_immediate.c netfilter: nft_immediate: drop chain reference counter on error 2024-01-10 17:10:24 +01:00
nft_last.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_limit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_log.c
nft_lookup.c netfilter: nf_tables: missing iterator type in lookup walk 2024-09-30 16:23:54 +02:00
nft_masq.c netfilter: nft_masq: correct length for loading protocol registers 2023-03-22 13:33:42 +01:00
nft_meta.c netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2023-11-28 17:07:05 +00:00
nft_nat.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_numgen.c
nft_objref.c netfilter: nf_tables: report use refcount overflow 2023-08-16 18:27:30 +02:00
nft_osf.c
nft_payload.c netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 2024-11-08 16:26:42 +01:00
nft_queue.c
nft_quota.c netfilter: nf_tables: allow clone callbacks to sleep 2024-08-14 13:53:03 +02:00
nft_range.c
nft_redir.c netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs 2023-11-20 11:52:17 +01:00
nft_reject_inet.c
nft_reject_netdev.c
nft_reject.c
nft_rt.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_set_bitmap.c netfilter: nf_tables: drop map element references from preparation phase 2023-06-28 11:12:32 +02:00
nft_set_hash.c netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only 2025-04-10 14:33:40 +02:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: disable softinterrupts 2024-08-03 08:49:49 +02:00
nft_set_pipapo_avx2.h
nft_set_pipapo.c netfilter: nf_tables: missing iterator type in lookup walk 2024-09-30 16:23:54 +02:00
nft_set_pipapo.h netfilter: nf_set_pipapo: fix initial map fill 2024-08-03 08:49:24 +02:00
nft_set_rbtree.c netfilter: nf_tables: use timestamp to check for set element timeout 2024-07-05 09:31:44 +02:00
nft_socket.c netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level 2024-12-14 19:54:20 +01:00
nft_synproxy.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_tproxy.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
nft_tunnel.c net: fix geneve_opt length integer overflow 2025-04-10 14:33:41 +02:00
nft_xfrm.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-31 16:17:06 -08:00
utils.c
x_tables.c netfilter: Fix use-after-free in get_info() 2024-11-08 16:26:41 +01:00
xt_addrtype.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_AUDIT.c
xt_bpf.c
xt_cgroup.c
xt_CHECKSUM.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_CLASSIFY.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_cluster.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_comment.c
xt_connbytes.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_connlabel.c
xt_connlimit.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_connmark.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_CONNSECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c netfilter: x_tables: fix LED ID check in led_tg_check() 2024-12-14 19:54:20 +01:00
xt_length.c netfilter: use skb_ip_totlen and iph_totlen 2024-01-10 17:10:21 +01:00
xt_limit.c
xt_LOG.c
xt_mac.c
xt_mark.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-11-01 01:56:04 +01:00
xt_MASQUERADE.c
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
xt_NFLOG.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-11-01 01:56:04 +01:00
xt_NFQUEUE.c
xt_osf.c netfilter: nfnetlink_osf: fix module autoload 2023-06-28 11:12:33 +02:00
xt_owner.c netfilter: xt_owner: Fix for unsafe access of sk->sk_socket 2023-12-13 18:39:11 +01:00
xt_physdev.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-25 15:27:51 -08:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_realm.c
xt_recent.c netfilter: xt_recent: fix (increase) ipv6 literal buffer length 2023-11-20 11:52:17 +01:00
xt_REDIRECT.c netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs 2023-11-20 11:52:17 +01:00
xt_repldata.h
xt_sctp.c netfilter: xt_sctp: validate the flag_info count 2023-09-13 09:42:59 +02:00
xt_SECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-17 15:22:22 +02:00
xt_set.c
xt_socket.c net: annotate data-races around sk->sk_mark 2023-08-11 12:08:14 +02:00
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c
xt_tcpudp.c
xt_TEE.c
xt_time.c
xt_TPROXY.c
xt_TRACE.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-11-01 01:56:04 +01:00
xt_u32.c netfilter: xt_u32: validate user space input 2023-09-13 09:42:59 +02:00