lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20231102102846.GE6174@breakpoint.cc> Date: Thu, 2 Nov 2023 11:28:46 +0100 From: Florian Westphal <fw@...len.de> To: Dan Carpenter <dan.carpenter@...aro.org> Cc: Thadeu Lima de Souza Cascardo <cascardo@...onical.com>, netfilter-devel@...r.kernel.org, netdev@...r.kernel.org, Pablo Neira Ayuso <pablo@...filter.org>, Florian Westphal <fw@...len.de>, Harshit Mogalapalli <harshit.m.mogalapalli@...il.com> Subject: Re: [PATCH v2] netfilter: nf_tables: prevent OOB access in nft_byteorder_eval Dan Carpenter <dan.carpenter@...aro.org> wrote: > This patch is correct, but shouldn't we fix the code for 64 bit writes > as well? Care to send a patch? > net/netfilter/nft_byteorder.c > 26 void nft_byteorder_eval(const struct nft_expr *expr, > 27 struct nft_regs *regs, > 28 const struct nft_pktinfo *pkt) > 29 { > 30 const struct nft_byteorder *priv = nft_expr_priv(expr); > 31 u32 *src = ®s->data[priv->sreg]; > 32 u32 *dst = ®s->data[priv->dreg]; > 33 u16 *s16, *d16; > 34 unsigned int i; > 35 > 36 s16 = (void *)src; > 37 d16 = (void *)dst; > 38 > 39 switch (priv->size) { > 40 case 8: { > 41 u64 src64; > 42 > 43 switch (priv->op) { > 44 case NFT_BYTEORDER_NTOH: > 45 for (i = 0; i < priv->len / 8; i++) { > 46 src64 = nft_reg_load64(&src[i]); > 47 nft_reg_store64(&dst[i], > 48 be64_to_cpu((__force __be64)src64)); > > We're writing 8 bytes, then moving forward 4 bytes and writing 8 bytes > again. Each subsequent write over-writes 4 bytes from the previous > write. Yes. I can't think if a case where we'd do two swaps back-to-back, which is probably the reason noone noticed this so far.
Powered by blists - more mailing lists