[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter-devel
Subject: Re: [PATCH 1/1] netfilter: nat: add range checks for access to nf_nat_l[34]protos[]
From: William Mcvicker <willmcvicker () google ! com>
Date: 2020-07-31 18:16:33
Message-ID: 20200731181633.GA1209076 () google ! com
[Download RAW message or body]
Hi Pablo,
> Note that this code does not exist in the tree anymore. I'm not sure
> if this problem still exists upstream, this patch does not apply to
> nf.git. This fix should only go for -stable maintainers.
Right, the vulnerability has been fixed by the refactor commit fe2d0020994cd
("netfilter: nat: remove l4proto->in_range"), but this patch is a part of
a full re-work of the code and doesn't backport very cleanly to the LTS
branches. So this fix is only applicable to the 4.19, 4.14, 4.9, and 4.4 LTS
branches. I missed the -stable email, but will re-add it to this thread with
the re-worked patch.
Thanks,
Will
On 07/31/2020, Pablo Neira Ayuso wrote:
> Hi William,
>
> On Fri, Jul 31, 2020 at 12:26:11AM +0000, William Mcvicker wrote:
> > Hi Pablo,
> >
> > Yes, I believe this oops is only triggered by userspace when the user
> > specifically passes in an invalid nf_nat_l3protos index. I'm happy to re-work
> > the patch to check for this in ctnetlink_create_conntrack().
>
> Great.
>
> Note that this code does not exist in the tree anymore. I'm not sure
> if this problem still exists upstream, this patch does not apply to
> nf.git. This fix should only go for -stable maintainers.
>
> > > BTW, do you have a Fixes: tag for this? This will be useful for
> > > -stable maintainer to pick up this fix.
> >
> > Regarding the Fixes: tag, I don't have one offhand since this bug was reported
> > to me, but I can search through the code history to find the commit that
> > exposed this vulnerability.
>
> That would be great.
>
> Thank you.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic