netfilter: validate user input for expected length (!4532) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Phil Sutter requested to merge psutter1/centos-stream-9:c9s/RHEL-37212 into main Jun 21, 2024

CVE: CVE-2024-35896 JIRA: https://issues.redhat.com/browse/RHEL-37212 Upstream Status: commit 0c83842df40f86e529db6842231154772c20edcc

commit 0c83842df40f86e529db6842231154772c20edcc Author: Eric Dumazet edumazet@google.com Date: Thu Apr 4 12:20:51 2024 +0000

netfilter: validate user input for expected length

I got multiple syzbot reports showing old bugs exposed
by BPF after commit 20f2505fb436 ("bpf: Try to avoid kzalloc
in cgroup/{s,g}etsockopt")

setsockopt() @optlen argument should be taken into account
before copying data.

 BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h:49 [inline]
 BUG: KASAN: slab-out-of-bounds in copy_from_sockptr include/linux/sockptr.h:55 [inline]
 BUG: KASAN: slab-out-of-bounds in do_replace net/ipv4/netfilter/ip_tables.c:1111 [inline]
 BUG: KASAN: slab-out-of-bounds in do_ipt_set_ctl+0x902/0x3dd0 net/ipv4/netfilter/ip_tables.c:1627
Read of size 96 at addr ffff88802cd73da0 by task syz-executor.4/7238

CPU: 1 PID: 7238 Comm: syz-executor.4 Not tainted 6.9.0-rc2-next-20240403-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/27/2024
Call Trace:
 [...]

Signed-off-by: Phil Sutter psutter@redhat.com

netfilter: validate user input for expected length

Merge request reports