Received: by 2002:a05:7412:cfc7:b0:fc:a2b0:25d7 with SMTP id by7csp2283836rdb; Wed, 21 Feb 2024 02:57:45 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCXOEk7qt1o3QjvnGQDrNoLN+bBHEceDRswndk6KhyUN4F5K1HHwqaWQ0lUQYCdiWBq8I79GjkQJlp1kbzRvUjST/IT6SVWAtLBqy414CA== X-Google-Smtp-Source: AGHT+IERHiBNa3GUadvcZQUOUUNhzPVeFbS/L0cifNIdkNBjMvNg091730BEwSyU1/9JjuIrWwoa X-Received: by 2002:ac8:4e52:0:b0:42e:401d:2fa1 with SMTP id e18-20020ac84e52000000b0042e401d2fa1mr286572qtw.2.1708513065043; Wed, 21 Feb 2024 02:57:45 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708513065; cv=pass; d=google.com; s=arc-20160816; b=wBQQYMMjEa9FMrm+1Zpyo983/67E9e1AAtyuwoZHkr1jgXr5rMDX0Ha1gnr0Tw63iX GmYokiBX8400wZ3cDJZMj1/zH1eT0nVXvkEeTAKFictP7udvSXFfphvSr4HQNoiRfms4 mMYxXK3WcwIa4NegWm+bRvIwUgI8i/2TLly3hZq1Rn4sgqoccQFAq52/rIpUFw5Jr4UI j/vBMhHjRl4gsulWtVQk9UoIW1XJNnYoxi6e68vLTV2/ylWby1D/WKrI0h7lvBNtCCwu Lej57mnTr9KnKDAMxV7ogZx/xyo8ouDHWP4bUik8O+oG2DH+zm1x8RfUmmpvObv3C8DO iLkw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=F7+BlhdQhyTTXbPRHSo61339GrEl6GDMsDxJDaOZ7vA=; fh=nGFw23CpVl8ARKqF8RPaj9d00SSdNU+nCGrkfzJtzR8=; b=MJ/GVskdrZhhNFAklyXIDggQ+AZeDhWYggPwIS/9quKtB/YJWRpxjunmMYHZF7YzrI MTmrKdqpyEsXDNGe4IXSsjMRBwIgZr9bXaW+GtEyU40wMz1xQcQUkjDMLWfO6qzhjZWO g0dJiuPtFpbuZbuJsQwquQ6DQS+S7AOcGKSF40UIoEX5CwQFoQCdW41PeeD4YbPRryNF HS8DB76ip1ibrgx28lfqa7gN1XZbKhK6iPW8Q1xPyDPToqcaNOClUZecoAzPCrS12c1B TffFfK0wZPQdPnURLtsL72b28i6ccDkG/uDP39Q5nm9dVjwjV0xqE3ZIkArQNWwuDGlz 1sNg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZXXnSreM; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-74571-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-74571-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id y16-20020a05622a121000b0042c4f58fce4si11840657qtx.48.2024.02.21.02.57.44 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 21 Feb 2024 02:57:45 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-74571-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ZXXnSreM; arc=pass (i=1 dkim=pass dkdomain=linuxfoundation.org); spf=pass (google.com: domain of linux-kernel+bounces-74571-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-74571-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 86FE51C21C8F for ; Wed, 21 Feb 2024 10:57:44 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 747E43A1C1; Wed, 21 Feb 2024 10:57:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="ZXXnSreM" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 72A903D3A1; Wed, 21 Feb 2024 10:57:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708513051; cv=none; b=L2r8flYGBxUPYjDrd/cyYPDQEVojOQcZI/yo18k8z9snYa/TxNmJ00bUUSXCVMntLd6q9+INqt62l3WFTwXO176FeuxESBGg4sJqRmqSngmPJ3y5jGprbq0lV8cGUJpZDl6gPWlOxS0d3bf0TYLtL1Vc6OSFfRmhc4sWK/G6PTM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708513051; c=relaxed/simple; bh=C1Ipxz+S16Qg2MJDx5VYOE+RjL+OrQCdY2m3px6eY+g=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=RlG92UWck5n0Uv2H/ytQDyCXuZaHVRCI3I7egm+FAh3+5rX0x+TgNl2G/0rg3SJREGERguLE7e/Bm+gnM6VsaMIYFyVIayp/7WDemcpOZXDJqwFJu/wohwVsFoB+uKtG9KKh4rms2Pt3UGZdAOP215hdpsjn2g7iq39WvU+f0Uc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=ZXXnSreM; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3B933C433F1; Wed, 21 Feb 2024 10:57:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1708513050; bh=C1Ipxz+S16Qg2MJDx5VYOE+RjL+OrQCdY2m3px6eY+g=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=ZXXnSreMyEkh5WuKXE5riH1IWkbU/zmf9iF0XKW2PETpi4Pq2POrhKZmFwVyezSc+ PTrRjWp9UDICUxawwlcTDzmyt6UxSbiCg7odez4qbnT9bKt6oANCqtF/NBcHHIAF9b SH0+Nfh55usNSP4O0UIi18Gh4eNAtC4qcNShuRZQ= Date: Wed, 21 Feb 2024 11:57:22 +0100 From: Greg KH To: Ajay Kaher Cc: stable@vger.kernel.org, pablo@netfilter.org, kadlec@netfilter.org, fw@strlen.de, davem@davemloft.net, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, alexey.makhalov@broadcom.com, florian.fainelli@broadcom.com, vasavi.sirnapalli@broadcom.com, Dan Carpenter , Sasha Levin Subject: Re: [PATCH v5.4.y] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() Message-ID: <2024022115-vixen-brought-6058@gregkh> References: <1707108293-1004-1-git-send-email-ajay.kaher@broadcom.com> <1707108293-1004-2-git-send-email-ajay.kaher@broadcom.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1707108293-1004-2-git-send-email-ajay.kaher@broadcom.com> On Mon, Feb 05, 2024 at 10:14:53AM +0530, Ajay Kaher wrote: > From: Dan Carpenter > > commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 upstream. > > The problem is in nft_byteorder_eval() where we are iterating through a > loop and writing to dst[0], dst[1], dst[2] and so on... On each > iteration we are writing 8 bytes. But dst[] is an array of u32 so each > element only has space for 4 bytes. That means that every iteration > overwrites part of the previous element. > > I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: > nf_tables: prevent OOB access in nft_byteorder_eval") which is a related > issue. I think that the reason we have not detected this bug in testing > is that most of time we only write one element. > > Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") > Signed-off-by: Dan Carpenter > Signed-off-by: Pablo Neira Ayuso > Signed-off-by: Sasha Levin > [Ajay: Modified to apply on v5.4.y] > Signed-off-by: Ajay Kaher > --- All now queued up, thanks. greg k-h