126bc88c66b26396f59e4f690eb6e9aa102d2559 - third_party/kernel

commit	126bc88c66b26396f59e4f690eb6e9aa102d2559	[log] [tgz]
author	Florian Westphal <[email protected]>	Tue Jul 26 12:42:06 2022 +0200
committer	Ke Wu <[email protected]>	Sat Sep 10 07:49:35 2022 +0000
tree	6e9f3d85938426d30e525e3254ebc5fffc416509
parent	39fb4e2ffb47f6ffb9fb30490cd46996ac36dfb1 [diff]

netfilter: nf_queue: do not allow packet truncation below transport header offset

[ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ]

Domingo Dirutigliano and Nicola Guerrera report kernel panic when
sending nf_queue verdict with 1-byte nfta_payload attribute.

The IP/IPv6 stack pulls the IP(v6) header from the packet after the
input hook.

If user truncates the packet below the header size, this skb_pull() will
result in a malformed skb (skb->len < 0).

BUG=b/241534061
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2022-36946 in the Linux kernel.

Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
Reported-by: Domingo Dirutigliano <[email protected]>
Signed-off-by: Florian Westphal <[email protected]>
Reviewed-by: Pablo Neira Ayuso <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>

cos-patch: security-high
Change-Id: I83da1729bcc27c2a04dd9ff8ed76237134829868
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/36794
Reviewed-by: Vaibhav Rustagi <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>

net/netfilter/nfnetlink_queue.c[diff]

1 file changed

tree: 6e9f3d85938426d30e525e3254ebc5fffc416509