| From 5eacb3f2a97f99c8598594613dce1fc317bd18bd Mon Sep 17 00:00:00 2001 |
| From: Sasha Levin <sashal@kernel.org> |
| Date: Wed, 20 Oct 2021 18:08:10 +0200 |
| Subject: netfilter: nfnetlink_queue: fix OOB when mac header was cleared |
| |
| From: Florian Westphal <fw@strlen.de> |
| |
| [ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ] |
| |
| On 64bit platforms the MAC header is set to 0xffff on allocation and |
| also when a helper like skb_unset_mac_header() is called. |
| |
| dev_parse_header may call skb_mac_header() which assumes valid mac offset: |
| |
| BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90 |
| Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364 |
| Call Trace: |
| memcpy+0x20/0x60 |
| eth_header_parse+0x75/0x90 |
| __nfqnl_enqueue_packet+0x1a61/0x3380 |
| __nf_queue+0x597/0x1300 |
| nf_queue+0xf/0x40 |
| nf_hook_slow+0xed/0x190 |
| nf_hook+0x184/0x440 |
| ip_output+0x1c0/0x2a0 |
| nf_reinject+0x26f/0x700 |
| nfqnl_recv_verdict+0xa16/0x18b0 |
| nfnetlink_rcv_msg+0x506/0xe70 |
| |
| The existing code only works if the skb has a mac header. |
| |
| Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling") |
| Signed-off-by: Florian Westphal <fw@strlen.de> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| net/netfilter/nfnetlink_queue.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c |
| index 6f0a2bad8ad5e..a8cb562da3fea 100644 |
| --- a/net/netfilter/nfnetlink_queue.c |
| +++ b/net/netfilter/nfnetlink_queue.c |
| @@ -562,7 +562,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, |
| goto nla_put_failure; |
| |
| if (indev && entskb->dev && |
| - entskb->mac_header != entskb->network_header) { |
| + skb_mac_header_was_set(entskb)) { |
| struct nfqnl_msg_packet_hw phw; |
| int len; |
| |
| -- |
| 2.33.0 |
| |
