| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Zr3EhKBKllxigfcD@gmail.com> Date: Thu, 15 Aug 2024 02:04:04 -0700 From: Breno Leitao <leitao@...ian.org> To: icejl <icejl0001@...il.com> Cc: pablo@...filter.org, kadlec@...filter.org, davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, netfilter-devel@...r.kernel.org, coreteam@...filter.org, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH] netfilter: nfnetlink: fix uninitialized local variable On Thu, Aug 15, 2024 at 04:27:33PM +0800, icejl wrote: > In the nfnetlink_rcv_batch function, an uninitialized local variable > extack is used, which results in using random stack data as a pointer. > This pointer is then used to access the data it points to and return > it as the request status, leading to an information leak. If the stack > data happens to be an invalid pointer, it can cause a pointer access > exception, triggering a kernel crash. > > Signed-off-by: icejl <icejl0001@...il.com> > --- > net/netfilter/nfnetlink.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c > index 4abf660c7baf..b29b281f4b2c 100644 > --- a/net/netfilter/nfnetlink.c > +++ b/net/netfilter/nfnetlink.c > @@ -427,6 +427,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh, > > nfnl_unlock(subsys_id); > > + memset(&extack, 0, sizeof(extack)); > if (nlh->nlmsg_flags & NLM_F_ACK) > nfnl_err_add(&err_list, nlh, 0, &extack); There is a memset later in that function , inside the `while (skb->len >= nlmsg_total_size(0))` loop. Should that one be removed?
Powered by blists - more mailing lists