)]}'
{
  "commit": "d25dcb0cf6b0d2d8ba1b35af669d55514b82d65e",
  "tree": "2e2663fad8ca8c9ea1568609ead4992e7c912182",
  "parents": [
    "3bebe45bac63923587530063f42088e48b508b42"
  ],
  "author": {
    "name": "Thadeu Lima de Souza Cascardo",
    "email": "cascardo@canonical.com",
    "time": "Wed Jul 05 18:05:35 2023 -0300"
  },
  "committer": {
    "name": "COS Cherry Picker",
    "email": "cloud-image-release@prod.google.com",
    "time": "Tue Jul 18 13:40:05 2023 -0700"
  },
  "message": "netfilter: nf_tables: prevent OOB access in nft_byteorder_eval\n\ncommit caf3ef7468f7534771b5c44cd8dbd6f7f87c2cbd upstream.\n\nWhen evaluating byteorder expressions with size 2, a union with 32-bit and\n16-bit members is used. Since the 16-bit members are aligned to 32-bit,\nthe array accesses will be out-of-bounds.\n\nIt may lead to a stack-out-of-bounds access like the one below:\n\n[   23.095215] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[   23.095625] BUG: KASAN: stack-out-of-bounds in nft_byteorder_eval+0x13c/0x320\n[   23.096020] Read of size 2 at addr ffffc90000007948 by task ping/115\n[   23.096358]\n[   23.096456] CPU: 0 PID: 115 Comm: ping Not tainted 6.4.0+ #413\n[   23.096770] Call Trace:\n[   23.096910]  \u003cIRQ\u003e\n[   23.097030]  dump_stack_lvl+0x60/0xc0\n[   23.097218]  print_report+0xcf/0x630\n[   23.097388]  ? nft_byteorder_eval+0x13c/0x320\n[   23.097577]  ? kasan_addr_to_slab+0xd/0xc0\n[   23.097760]  ? nft_byteorder_eval+0x13c/0x320\n[   23.097949]  kasan_report+0xc9/0x110\n[   23.098106]  ? nft_byteorder_eval+0x13c/0x320\n[   23.098298]  __asan_load2+0x83/0xd0\n[   23.098453]  nft_byteorder_eval+0x13c/0x320\n[   23.098659]  nft_do_chain+0x1c8/0xc50\n[   23.098852]  ? __pfx_nft_do_chain+0x10/0x10\n[   23.099078]  ? __kasan_check_read+0x11/0x20\n[   23.099295]  ? __pfx___lock_acquire+0x10/0x10\n[   23.099535]  ? __pfx___lock_acquire+0x10/0x10\n[   23.099745]  ? __kasan_check_read+0x11/0x20\n[   23.099929]  nft_do_chain_ipv4+0xfe/0x140\n[   23.100105]  ? __pfx_nft_do_chain_ipv4+0x10/0x10\n[   23.100327]  ? lock_release+0x204/0x400\n[   23.100515]  ? nf_hook.constprop.0+0x340/0x550\n[   23.100779]  nf_hook_slow+0x6c/0x100\n[   23.100977]  ? __pfx_nft_do_chain_ipv4+0x10/0x10\n[   23.101223]  nf_hook.constprop.0+0x334/0x550\n[   23.101443]  ? __pfx_ip_local_deliver_finish+0x10/0x10\n[   23.101677]  ? __pfx_nf_hook.constprop.0+0x10/0x10\n[   23.101882]  ? __pfx_ip_rcv_finish+0x10/0x10\n[   23.102071]  ? __pfx_ip_local_deliver_finish+0x10/0x10\n[   23.102291]  ? rcu_read_lock_held+0x4b/0x70\n[   23.102481]  ip_local_deliver+0xbb/0x110\n[   23.102665]  ? __pfx_ip_rcv+0x10/0x10\n[   23.102839]  ip_rcv+0x199/0x2a0\n[   23.102980]  ? __pfx_ip_rcv+0x10/0x10\n[   23.103140]  __netif_receive_skb_one_core+0x13e/0x150\n[   23.103362]  ? __pfx___netif_receive_skb_one_core+0x10/0x10\n[   23.103647]  ? mark_held_locks+0x48/0xa0\n[   23.103819]  ? process_backlog+0x36c/0x380\n[   23.103999]  __netif_receive_skb+0x23/0xc0\n[   23.104179]  process_backlog+0x91/0x380\n[   23.104350]  __napi_poll.constprop.0+0x66/0x360\n[   23.104589]  ? net_rx_action+0x1cb/0x610\n[   23.104811]  net_rx_action+0x33e/0x610\n[   23.105024]  ? _raw_spin_unlock+0x23/0x50\n[   23.105257]  ? __pfx_net_rx_action+0x10/0x10\n[   23.105485]  ? mark_held_locks+0x48/0xa0\n[   23.105741]  __do_softirq+0xfa/0x5ab\n[   23.105956]  ? __dev_queue_xmit+0x765/0x1c00\n[   23.106193]  do_softirq.part.0+0x49/0xc0\n[   23.106423]  \u003c/IRQ\u003e\n[   23.106547]  \u003cTASK\u003e\n[   23.106670]  __local_bh_enable_ip+0xf5/0x120\n[   23.106903]  __dev_queue_xmit+0x789/0x1c00\n[   23.107131]  ? __pfx___dev_queue_xmit+0x10/0x10\n[   23.107381]  ? find_held_lock+0x8e/0xb0\n[   23.107585]  ? lock_release+0x204/0x400\n[   23.107798]  ? neigh_resolve_output+0x185/0x350\n[   23.108049]  ? mark_held_locks+0x48/0xa0\n[   23.108265]  ? neigh_resolve_output+0x185/0x350\n[   23.108514]  neigh_resolve_output+0x246/0x350\n[   23.108753]  ? neigh_resolve_output+0x246/0x350\n[   23.109003]  ip_finish_output2+0x3c3/0x10b0\n[   23.109250]  ? __pfx_ip_finish_output2+0x10/0x10\n[   23.109510]  ? __pfx_nf_hook+0x10/0x10\n[   23.109732]  __ip_finish_output+0x217/0x390\n[   23.109978]  ip_finish_output+0x2f/0x130\n[   23.110207]  ip_output+0xc9/0x170\n[   23.110404]  ip_push_pending_frames+0x1a0/0x240\n[   23.110652]  raw_sendmsg+0x102e/0x19e0\n[   23.110871]  ? __pfx_raw_sendmsg+0x10/0x10\n[   23.111093]  ? lock_release+0x204/0x400\n[   23.111304]  ? __mod_lruvec_page_state+0x148/0x330\n[   23.111567]  ? find_held_lock+0x8e/0xb0\n[   23.111777]  ? find_held_lock+0x8e/0xb0\n[   23.111993]  ? __rcu_read_unlock+0x7c/0x2f0\n[   23.112225]  ? aa_sk_perm+0x18a/0x550\n[   23.112431]  ? filemap_map_pages+0x4f1/0x900\n[   23.112665]  ? __pfx_aa_sk_perm+0x10/0x10\n[   23.112880]  ? find_held_lock+0x8e/0xb0\n[   23.113098]  inet_sendmsg+0xa0/0xb0\n[   23.113297]  ? inet_sendmsg+0xa0/0xb0\n[   23.113500]  ? __pfx_inet_sendmsg+0x10/0x10\n[   23.113727]  sock_sendmsg+0xf4/0x100\n[   23.113924]  ? move_addr_to_kernel.part.0+0x4f/0xa0\n[   23.114190]  __sys_sendto+0x1d4/0x290\n[   23.114391]  ? __pfx___sys_sendto+0x10/0x10\n[   23.114621]  ? __pfx_mark_lock.part.0+0x10/0x10\n[   23.114869]  ? lock_release+0x204/0x400\n[   23.115076]  ? find_held_lock+0x8e/0xb0\n[   23.115287]  ? rcu_is_watching+0x23/0x60\n[   23.115503]  ? __rseq_handle_notify_resume+0x6e2/0x860\n[   23.115778]  ? __kasan_check_write+0x14/0x30\n[   23.116008]  ? blkcg_maybe_throttle_current+0x8d/0x770\n[   23.116285]  ? mark_held_locks+0x28/0xa0\n[   23.116503]  ? do_syscall_64+0x37/0x90\n[   23.116713]  __x64_sys_sendto+0x7f/0xb0\n[   23.116924]  do_syscall_64+0x59/0x90\n[   23.117123]  ? irqentry_exit_to_user_mode+0x25/0x30\n[   23.117387]  ? irqentry_exit+0x77/0xb0\n[   23.117593]  ? exc_page_fault+0x92/0x140\n[   23.117806]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[   23.118081] RIP: 0033:0x7f744aee2bba\n[   23.118282] Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3 0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f 05 \u003c48\u003e 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89\n[   23.119237] RSP: 002b:00007ffd04a7c9f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c\n[   23.119644] RAX: ffffffffffffffda RBX: 00007ffd04a7e0a0 RCX: 00007f744aee2bba\n[   23.120023] RDX: 0000000000000040 RSI: 000056488e9e6300 RDI: 0000000000000003\n[   23.120413] RBP: 000056488e9e6300 R08: 00007ffd04a80320 R09: 0000000000000010\n[   23.120809] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040\n[   23.121219] R13: 00007ffd04a7dc38 R14: 00007ffd04a7ca00 R15: 00007ffd04a7e0a0\n[   23.121617]  \u003c/TASK\u003e\n[   23.121749]\n[   23.121845] The buggy address belongs to the virtual mapping at\n[   23.121845]  [ffffc90000000000, ffffc90000009000) created by:\n[   23.121845]  irq_init_percpu_irqstack+0x1cf/0x270\n[   23.122707]\n[   23.122803] The buggy address belongs to the physical page:\n[   23.123104] page:0000000072ac19f0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x24a09\n[   23.123609] flags: 0xfffffc0001000(reserved|node\u003d0|zone\u003d1|lastcpupid\u003d0x1fffff)\n[   23.123998] page_type: 0xffffffff()\n[   23.124194] raw: 000fffffc0001000 ffffea0000928248 ffffea0000928248 0000000000000000\n[   23.124610] raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000\n[   23.125023] page dumped because: kasan: bad access detected\n[   23.125326]\n[   23.125421] Memory state around the buggy address:\n[   23.125682]  ffffc90000007800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n[   23.126072]  ffffc90000007880: 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00\n[   23.126455] \u003effffc90000007900: 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00\n[   23.126840]                                               ^\n[   23.127138]  ffffc90000007980: 00 00 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3\n[   23.127522]  ffffc90000007a00: f3 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1\n[   23.127906] \u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n[   23.128324] Disabling lock debugging due to kernel taint\n\nUsing simple s16 pointers for the 16-bit accesses fixes the problem. For\nthe 32-bit accesses, src and dst can be used directly.\n\nBUG\u003db/291058319\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2023-35001 in the Linux kernel.\n\ncos-patch: security-high\nFixes: 96518518cc41 (\"netfilter: add nftables\")\nCc: stable@vger.kernel.org\nReported-by: Tanguy DUBROCA (@SidewayRE) from @Synacktiv working with ZDI\nChange-Id: Ie5a5b4bc6a4129d69303094a63f81dfc1657e729\nSigned-off-by: Thadeu Lima de Souza Cascardo \u003ccascardo@canonical.com\u003e\nReviewed-by: Florian Westphal \u003cfw@strlen.de\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Arnav Kansal \u003crnv@google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/52156\nMain-Branch-Verified: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "9d5947ab8d4ef33531dd82fa42057d24273f1260",
      "old_mode": 33188,
      "old_path": "net/netfilter/nft_byteorder.c",
      "new_id": "7b0b8fecb2205fad1e306c9cfd51bc1ac7585032",
      "new_mode": 33188,
      "new_path": "net/netfilter/nft_byteorder.c"
    }
  ]
}