Draft: CVE-2024-35962: netfilter: complete validation of user input (!4585) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

CKI Backport Bot requested to merge redhat/red-hat-ci-tools/kernel/bot-branches/centos-stream-9:backport-RHEL-37416-centos-stream-9-main into main Jun 25, 2024

JIRA: https://issues.redhat.com/browse/RHEL-37416
CVE: CVE-2024-35962

netfilter: complete validation of user input

[ Upstream commit 65acf6e0501ac8880a4f73980d01b5d27648b956 ]

In my recent commit, I missed that do_replace() handlers
use copy_from_sockptr() (which I fixed), followed
by unsafe copy_from_sockptr_offset() calls.

In all functions, we can perform the @optlen validation
before even calling xt_alloc_table_info() with the following
check:

if ((u64)optlen < (u64)tmp.size + sizeof(tmp))
        return -EINVAL;

Fixes: 0c83842df40f ("netfilter: validate user input for expected length")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://lore.kernel.org/r/20240409120741.3538135-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 562b7245131f6e9f1d280c8b5a8750f03edfc05c)

Signed-off-by: cki-backport-bot cki-ci-bot+cki-gitlab-backport-bot@redhat.com

Draft: CVE-2024-35962: netfilter: complete validation of user input

Merge request reports