)]}'
{
  "commit": "e14537dc2b2f017602e9738cc38eaf8be03f8d14",
  "tree": "e035d64633a27d388c2307ab349d6b9272bb5d66",
  "parents": [
    "a75611e516d2d29d1e04e26e345c3313a5b04b90"
  ],
  "author": {
    "name": "Dan Carpenter",
    "email": "dan.carpenter@linaro.org",
    "time": "Fri Nov 03 09:42:51 2023 +0300"
  },
  "committer": {
    "name": "Michael Kochera",
    "email": "kochera@google.com",
    "time": "Tue Jan 30 23:45:48 2024 +0000"
  },
  "message": "netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()\n\n[ Upstream commit c301f0981fdd3fd1ffac6836b423c4d7a8e0eb63 ]\n\nThe problem is in nft_byteorder_eval() where we are iterating through a\nloop and writing to dst[0], dst[1], dst[2] and so on...  On each\niteration we are writing 8 bytes.  But dst[] is an array of u32 so each\nelement only has space for 4 bytes.  That means that every iteration\noverwrites part of the previous element.\n\nI spotted this bug while reviewing commit caf3ef7468f7 (\"netfilter:\nnf_tables: prevent OOB access in nft_byteorder_eval\") which is a related\nissue.  I think that the reason we have not detected this bug in testing\nis that most of time we only write one element.\n\nBUG\u003db/322600529\nTEST\u003dNone\nRELEASE_NOTE\u003dFixed CVE-2024-0607 in the linux kernel.\n\ncos-patch: security-moderate\nFixes: ce1e7989d989 (\"netfilter: nft_byteorder: provide 64bit le/be conversion\")\nChange-Id: I5f0a3aa376f38713cc2577e003a55175e67ccbae\nSigned-off-by: Dan Carpenter \u003cdan.carpenter@linaro.org\u003e\nSigned-off-by: Pablo Neira Ayuso \u003cpablo@netfilter.org\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/64351\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "d1f81a6d7773b1792cfe132dc1b6e76bde1def52",
      "old_mode": 33188,
      "old_path": "include/net/netfilter/nf_tables.h",
      "new_id": "c726da3b7d68a44c247e0886669a8eb48b643e19",
      "new_mode": 33188,
      "new_path": "include/net/netfilter/nf_tables.h"
    },
    {
      "type": "modify",
      "old_id": "2e2eb2cb17bc730330375cf49c266d2f8328f5f6",
      "old_mode": 33188,
      "old_path": "net/netfilter/nft_byteorder.c",
      "new_id": "605178133d9eb3f95232eba0861ba847a1d2f374",
      "new_mode": 33188,
      "new_path": "net/netfilter/nft_byteorder.c"
    },
    {
      "type": "modify",
      "old_id": "55d2d49c34259c52cdfdd8e011712d0921fec58b",
      "old_mode": 33188,
      "old_path": "net/netfilter/nft_meta.c",
      "new_id": "6e833219262294c08b3eb3031c2bb17c890c32d7",
      "new_mode": 33188,
      "new_path": "net/netfilter/nft_meta.c"
    }
  ]
}