diff options
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch')
-rw-r--r-- | meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch new file mode 100644 index 000000000..d1498f247 --- /dev/null +++ b/meta-openbmc-mods/meta-common/recipes-kernel/linux/linux-aspeed/CVE-2023-4004.patch @@ -0,0 +1,58 @@ +From 87b5a5c209405cb6b57424cdfa226a6dbd349232 Mon Sep 17 00:00:00 2001 +From: Florian Westphal <fw@strlen.de> +Date: Wed, 19 Jul 2023 21:08:21 +0200 +Subject: netfilter: nft_set_pipapo: fix improper element removal + +end key should be equal to start unless NFT_SET_EXT_KEY_END is present. + +Its possible to add elements that only have a start key +("{ 1.0.0.0 . 2.0.0.0 }") without an internval end. + +Insertion treats this via: + +if (nft_set_ext_exists(ext, NFT_SET_EXT_KEY_END)) + end = (const u8 *)nft_set_ext_key_end(ext)->data; +else + end = start; + +but removal side always uses nft_set_ext_key_end(). +This is wrong and leads to garbage remaining in the set after removal +next lookup/insert attempt will give: + +BUG: KASAN: slab-use-after-free in pipapo_get+0x8eb/0xb90 +Read of size 1 at addr ffff888100d50586 by task nft-pipapo_uaf_/1399 +Call Trace: + kasan_report+0x105/0x140 + pipapo_get+0x8eb/0xb90 + nft_pipapo_insert+0x1dc/0x1710 + nf_tables_newsetelem+0x31f5/0x4e00 + .. + +Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges") +Reported-by: lonial con <kongln9170@gmail.com> +Reviewed-by: Stefano Brivio <sbrivio@redhat.com> +Signed-off-by: Florian Westphal <fw@strlen.de> +--- + net/netfilter/nft_set_pipapo.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/netfilter/nft_set_pipapo.c b/net/netfilter/nft_set_pipapo.c +index db526cb7a4858..49915a2a58eb7 100644 +--- a/net/netfilter/nft_set_pipapo.c ++++ b/net/netfilter/nft_set_pipapo.c +@@ -1929,7 +1929,11 @@ static void nft_pipapo_remove(const struct net *net, const struct nft_set *set, + int i, start, rules_fx; + + match_start = data; +- match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ ++ if (nft_set_ext_exists(&e->ext, NFT_SET_EXT_KEY_END)) ++ match_end = (const u8 *)nft_set_ext_key_end(&e->ext)->data; ++ else ++ match_end = data; + + start = first_rule; + rules_fx = rules_f0; +-- +cgit + |