blob: 651d4e0cd23dbe5d64d1a3d0476bb590c9131c44 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
Description: netfilter: nf_tables: validate registers coming from userspace.
References:
https://www.openwall.com/lists/oss-security/2022/03/28/5
http://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/
Notes:
carnil> Exploitable starting from commit 345023b0db3 ("netfilter:
carnil> nftables: add nft_parse_register_store() and use it") in
carnil> 5.12-rc1 but bug present since commit 49499c3e6e18 ("netfilter:
carnil> nf_tables: switch registers to 32 bit addressing") in 4.1-rc1
carnil> Fixed in 5.17.1 for 5.17.y and 5.16.18 for 5.16.y.
bwh> If I understand this correctly, the issue is that nft_parse_register()
bwh> could return a very large register number that would lead to integer
bwh> overflow in the range check in nft_validate_register_{load,store}().
bwh> This was not exploitable before commit 345023b0db3 because all in-tree
bwh> callers truncated the return value of nft_parse_register() to 8 bits
bwh> before passing it on to nft_validate_register_{load,store}().
bwh> I also didn't find any out-of-tree modules using nft_parse_register()
bwh> through codesearch.debian.net or GitHub.
Bugs:
upstream: released (5.18-rc1) [6e1acfa387b9ff82cfc7db8cc3b6959221a95851]
5.10-upstream-stable: N/A "Vulnerability introduced later"
4.19-upstream-stable: N/A "Vulnerability introduced later"
4.9-upstream-stable: N/A "Vulnerability introduced later"
sid: released (5.16.18-1)
5.10-bullseye-security: N/A "Vulnerability introduced later"
4.19-buster-security: N/A "Vulnerability introduced later"
4.9-stretch-security: N/A "Vulnerability introduced later"
|