Hi! > From: Will McVicker <willmcvic...@google.com> > > commit 1cc5ef91d2ff94d2bf2de3b3585423e8a1051cb6 upstream. > > The indexes to the nf_nat_l[34]protos arrays come from userspace. So > check the tuple's family, e.g. l3num, when creating the conntrack in > order to prevent an OOB memory access during setup. Here is an example > kernel panic on 4.14.180 when userspace passes in an index greater than > NFPROTO_NUMPROTO.
Since this protects against OOB array access, should it use _nospec()
variant to protect from speculation attacks?
Best regards,
Pavel
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -1129,6 +1129,8 @@ ctnetlink_parse_tuple(const struct nlatt
> if (!tb[CTA_TUPLE_IP])
> return -EINVAL;
>
> + if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
> + return -EOPNOTSUPP;
> tuple->src.l3num = l3num;
>
> err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
>
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures)
http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
signature.asc
Description: Digital signature
