Re: [PATCH 4.19 38/38] netfilter: ctnetlink: add a range check for l3/l4 protonum

From: Pavel Machek
Date: Mon Oct 05 2020 - 16:59:17 EST


Hi!

> From: Will McVicker <willmcvicker@xxxxxxxxxx>
>
> commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream.
>
> The indexes to the nf_nat_l[34]protos arrays come from userspace. So
> check the tuple's family, e.g. l3num, when creating the conntrack in
> order to prevent an OOB memory access during setup. Here is an example
> kernel panic on 4.14.180 when userspace passes in an index greater than
> NFPROTO_NUMPROTO.

Since this protects against OOB array access, should it use _nospec()
variant to protect from speculation attacks?

Best regards,
Pavel

> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlatt
> if (!tb[CTA_TUPLE_IP])
> return -EINVAL;
>
> + if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
> + return -EOPNOTSUPP;
> tuple->src.l3num = l3num;
>
> err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
>

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Attachment: signature.asc
Description: Digital signature