Bug 2238312 (CVE-2023-4881, ZDI-CAN-21950, ZDI-CAN-21951, ZDI-CAN-21961) - CVE-2023-4881 kernel: netfilter: stack out-of-bounds write in nft_exthdr ip/tcp/sctp functions
Summary: CVE-2023-4881 kernel: netfilter: stack out-of-bounds write in nft_exthdr ip/t...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2023-4881, ZDI-CAN-21950, ZDI-CAN-21951, ZDI-CAN-21961
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2238313
Blocks: 2238286
TreeView+ depends on / blocked
 
Reported: 2023-09-11 12:15 UTC by Mauro Matteo Cascella
Modified: 2023-12-21 09:00 UTC (History)
40 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A stack based out-of-bounds write flaw was found in the netfilter subsystem in the Linux kernel. If the expression length is a multiple of 4 (register size), the `nft_exthdr_eval` family of functions writes 4 NULL bytes past the end of the `regs` argument, leading to stack corruption and potential information disclosure or a denial of service.
Clone Of:
Environment:
Last Closed: 2023-09-20 17:38:02 UTC
Embargoed:

Attachments (Terms of Use)

Description Mauro Matteo Cascella 2023-09-11 12:15:49 UTC 
A stack based out-of-bounds write was found in the netfilter subsystem in the Linux kernel. If priv->len is a multiple of 4, then dst[len / 4] can write past the destination array which leads to stack corruption.

Upstream patch:
https://lore.kernel.org/all/20230906162525.11079-2-fw@strlen.de/
Comment 1 Mauro Matteo Cascella 2023-09-11 12:16:17 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2238313]
Note You need to log in before you can comment on or make changes to this bug.