Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:28 +0200
committerDenis Kirjanov <dkirjanov@suse.com>2019-05-02 13:49:40 +0200
commitbd252e068a166e078058acfb1c2113034b701d4c (patch)
tree51f771d56fb4babf0e4193fbd2ebb775f49ceaf5
parente0b498c5ab84b9a37f4d706cc5cfa90f299d050b (diff)
netfilter: ipv6: fix use-after-free Write in
nf_nat_ipv6_manip_pkt (git-fixes).
-rw-r--r--patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch37
-rw-r--r--series.conf1
2 files changed, 38 insertions, 0 deletions
diff --git a/patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch b/patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch
new file mode 100644
index 0000000000..84946a824a
--- /dev/null
+++ b/patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch
@@ -0,0 +1,37 @@
+From: Florian Westphal <fw@strlen.de>
+Subject: netfilter: ipv6: fix use-after-free Write in
+ nf_nat_ipv6_manip_pkt
+Patch-mainline: v4.16-rc5
+Git-commit: b078556aecd791b0e5cb3a59f4c3a14273b52121
+References: git-fixes
+
+l4proto->manip_pkt() can cause reallocation of skb head so pointer
+to the ipv6 header must be reloaded.
+
+Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
+Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv6/netfilter/nf_nat_l3proto_ipv6.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+index b2b4f031b3a1..df48f83d6795 100644
+--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+@@ -99,6 +99,10 @@ static bool nf_nat_ipv6_manip_pkt(struct sk_buff *skb,
+ !l4proto->manip_pkt(skb, &nf_nat_l3proto_ipv6, iphdroff, hdroff,
+ target, maniptype))
+ return false;
++
++ /* must reload, offset might have changed */
++ ipv6h = (void *)skb->data + iphdroff;
++
+ manip_addr:
+ if (maniptype == NF_NAT_MANIP_SRC)
+ ipv6h->saddr = target->src.u3.in6;
+--
+2.12.3
+
diff --git a/series.conf b/series.conf
index 951f50c918..a96060abbe 100644
--- a/series.conf
+++ b/series.conf
@@ -14022,6 +14022,7 @@
patches.fixes/bpf-ppc64-fix-out-of-bounds-access-in-tail-call.patch
patches.fixes/rds-Incorrect-reference-counting-in-TCP-socket-creat.patch
patches.drivers/mac80211-drop-frames-with-unexpected-DS-bits-from-fa
+ patches.fixes/0005-netfilter-ipv6-fix-use-after-free-Write-in-nf_nat_ip.patch
patches.fixes/netfilter-ebtables-CONFIG_COMPAT-don-t-trust-userlan.patch
patches.suse/netfilter-don-t-set-F_IFACE-on-ipv6-fib-lookups.patch
patches.fixes/netfilter-use-skb_to_full_sk-in-ip6_route_me_harder.patch