| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADvbK_fGUHNZRguoqi7UBi_83oFvCFmD67hnPpT369UMG82xrQ@mail.gmail.com>
Date: Wed, 2 Apr 2025 17:37:45 -0400
From: Xin Long <lucien.xin@...il.com>
To: Lin Ma <linma@....edu.cn>
Cc: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, horms@...nel.org, pablo@...filter.org,
kadlec@...filter.org, jhs@...atatu.com, xiyou.wangcong@...il.com,
jiri@...nulli.us, pieter.jansenvanvuuren@...ronome.com,
netdev@...r.kernel.org
Subject: Re: [PATCH net] net: fix geneve_opt length integer overflow
On Wed, Apr 2, 2025 at 12:58 PM Lin Ma <linma@....edu.cn> wrote:
>
> struct geneve_opt uses 5 bit length for each single option, which
> means every vary size option should be smaller than 128 bytes.
>
> However, all current related Netlink policies cannot promise this
> length condition and the attacker can exploit a exact 128-byte size
> option to *fake* a zero length option and confuse the parsing logic,
> further achieve heap out-of-bounds read.
>
> One example crash log is like below:
>
> [ 3.905425] ==================================================================
> [ 3.905925] BUG: KASAN: slab-out-of-bounds in nla_put+0xa9/0xe0
> [ 3.906255] Read of size 124 at addr ffff888005f291cc by task poc/177
> [ 3.906646]
> [ 3.906775] CPU: 0 PID: 177 Comm: poc-oob-read Not tainted 6.1.132 #1
> [ 3.907131] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
> [ 3.907784] Call Trace:
> [ 3.907925] <TASK>
> [ 3.908048] dump_stack_lvl+0x44/0x5c
> [ 3.908258] print_report+0x184/0x4be
> [ 3.909151] kasan_report+0xc5/0x100
> [ 3.909539] kasan_check_range+0xf3/0x1a0
> [ 3.909794] memcpy+0x1f/0x60
> [ 3.909968] nla_put+0xa9/0xe0
> [ 3.910147] tunnel_key_dump+0x945/0xba0
> [ 3.911536] tcf_action_dump_1+0x1c1/0x340
> [ 3.912436] tcf_action_dump+0x101/0x180
> [ 3.912689] tcf_exts_dump+0x164/0x1e0
> [ 3.912905] fw_dump+0x18b/0x2d0
> [ 3.913483] tcf_fill_node+0x2ee/0x460
> [ 3.914778] tfilter_notify+0xf4/0x180
> [ 3.915208] tc_new_tfilter+0xd51/0x10d0
> [ 3.918615] rtnetlink_rcv_msg+0x4a2/0x560
> [ 3.919118] netlink_rcv_skb+0xcd/0x200
> [ 3.919787] netlink_unicast+0x395/0x530
> [ 3.921032] netlink_sendmsg+0x3d0/0x6d0
> [ 3.921987] __sock_sendmsg+0x99/0xa0
> [ 3.922220] __sys_sendto+0x1b7/0x240
> [ 3.922682] __x64_sys_sendto+0x72/0x90
> [ 3.922906] do_syscall_64+0x5e/0x90
> [ 3.923814] entry_SYSCALL_64_after_hwframe+0x6e/0xd8
> [ 3.924122] RIP: 0033:0x7e83eab84407
> [ 3.924331] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf
> [ 3.925330] RSP: 002b:00007ffff505e370 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
> [ 3.925752] RAX: ffffffffffffffda RBX: 00007e83eaafa740 RCX: 00007e83eab84407
> [ 3.926173] RDX: 00000000000001a8 RSI: 00007ffff505e3c0 RDI: 0000000000000003
> [ 3.926587] RBP: 00007ffff505f460 R08: 00007e83eace1000 R09: 000000000000000c
> [ 3.926977] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffff505f3c0
> [ 3.927367] R13: 00007ffff505f5c8 R14: 00007e83ead1b000 R15: 00005d4fbbe6dcb8
>
> Fix these issues by enforing correct length condition in related
> policies.
>
> Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts")
> Fixes: 4ece47787077 ("lwtunnel: add options setting and dumping for geneve")
> Fixes: 0ed5269f9e41 ("net/sched: add tunnel option support to act_tunnel_key")
> Fixes: 0a6e77784f49 ("net/sched: allow flower to match tunnel options")
> Signed-off-by: Lin Ma <linma@....edu.cn>
Reviewed-by: Xin Long <lucien.xin@...il.com>
Thanks.
Powered by blists - more mailing lists