diff options
| author | Davide Ornaghi <d.ornaghi97@gmail.com> | 2026-06-10 12:39:13 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2026-06-10 18:00:32 +0200 |
| commit | c7d573551f9286100a055ef696cde6af54549677 (patch) | |
| tree | 3b55982a657bd6eaadfa6632b3acc0ec7c1f8dc4 /include/uapi/linux | |
| parent | ab185e0c4fb82dfba6fb86f8271e06f931d9c64c (diff) | |
netfilter: nft_meta_bridge: fix stale stack leak via IIFHWADDR register
NFT_META_BRI_IIFHWADDR declares its destination register with
len = ETH_ALEN (6 bytes), which the register-init tracking rounds up to
two 32-bit registers (8 bytes). nft_meta_bridge_get_eval() then does
memcpy(dest, br_dev->dev_addr, ETH_ALEN), writing only 6 bytes and
leaving the upper 2 bytes of the second register as uninitialised
nft_do_chain() stack. A downstream load of that register span leaks
those stale bytes to userspace.
Zero the second register before the memcpy so the full declared span is
written.
Fixes: cbd2257dc96e ("netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support")
Cc: stable@vger.kernel.org
Signed-off-by: Davide Ornaghi <d.ornaghi97@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux')
0 files changed, 0 insertions, 0 deletions