releases/4.14.27/netfilter-ipv6-fix-use-after-free-write-in-nf_nat_ipv6_manip_pkt.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From b078556aecd791b0e5cb3a59f4c3a14273b52121 Mon Sep 17 00:00:00 2001
 From: Florian Westphal <fw@strlen.de>
 Date: Mon, 19 Feb 2018 08:10:17 +0100
 Subject: netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt

 From: Florian Westphal <fw@strlen.de>

 commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.

 l4proto->manip_pkt() can cause reallocation of skb head so pointer
 to the ipv6 header must be reloaded.

 Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
 Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
 Signed-off-by: Florian Westphal <fw@strlen.de>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

 ---
  net/ipv6/netfilter/nf_nat_l3proto_ipv6.c |    4 ++++
  1 file changed, 4 insertions(+)

 --- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
 +++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
 @@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct
  	    !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
  				target, maniptype))
  		return false;
 +
 +	/* must reload, offset might have changed */
 +	ipv6h = (void *)skb->data + iphdroff;
 +
  manip_addr:
  	if (maniptype == NF_NAT_MANIP_SRC)
  		ipv6h->saddr = target->src.u3.in6;
	From b078556aecd791b0e5cb3a59f4c3a14273b52121 Mon Sep 17 00:00:00 2001
	From: Florian Westphal <fw@strlen.de>
	Date: Mon, 19 Feb 2018 08:10:17 +0100
	Subject: netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt

	From: Florian Westphal <fw@strlen.de>

	commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.

	l4proto->manip_pkt() can cause reallocation of skb head so pointer
	to the ipv6 header must be reloaded.

	Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
	Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
	Signed-off-by: Florian Westphal <fw@strlen.de>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

	---
	net/ipv6/netfilter/nf_nat_l3proto_ipv6.c \| 4 ++++
	1 file changed, 4 insertions(+)

	--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
	+++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
	@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct
	!l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
	target, maniptype))
	return false;
	+
	+ /* must reload, offset might have changed */
	+ ipv6h = (void *)skb->data + iphdroff;
	+
	manip_addr:
	if (maniptype == NF_NAT_MANIP_SRC)
	ipv6h->saddr = target->src.u3.in6;