In pfkey_dump() dplen and splen can both be specified to access the
xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
when it calls addr_match() with the indexes. Return EINVAL if either
are out of range.
Signed-off-by: Mark Salyzyn <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
---
Should be back ported to the stable queues because this is a out of
bounds access.
net/key/af_key.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index b67ed3a8486c..dd2a684879de 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1849,6 +1849,13 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
+ if ((xfilter->sadb_x_filter_splen >=
+ (sizeof(xfrm_address_t) << 3)) ||
+ (xfilter->sadb_x_filter_dplen >=
+ (sizeof(xfrm_address_t) << 3))) {
+ mutex_unlock(&pfk->dump_lock);
+ return -EINVAL;
+ }
filter = kmalloc(sizeof(*filter), GFP_KERNEL);
if (filter == NULL) {
mutex_unlock(&pfk->dump_lock);
--
2.28.0.rc0.105.gf9edc3c819-goog
On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
> In pfkey_dump() dplen and splen can both be specified to access the
> xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
> when it calls addr_match() with the indexes. Return EINVAL if either
> are out of range.
>
> Signed-off-by: Mark Salyzyn <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]
> ---
> Should be back ported to the stable queues because this is a out of
> bounds access.
Please do a v2 and add a proper 'Fixes' tag if this is a fix that
needs to be backported.
Thanks!
On 7/22/20 2:33 AM, Steffen Klassert wrote:
> On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
>> In pfkey_dump() dplen and splen can both be specified to access the
>> xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
>> when it calls addr_match() with the indexes. Return EINVAL if either
>> are out of range.
>>
>> Signed-off-by: Mark Salyzyn <[email protected]>
>> Cc: [email protected]
>> Cc: [email protected]
>> Cc: [email protected]
>> ---
>> Should be back ported to the stable queues because this is a out of
>> bounds access.
> Please do a v2 and add a proper 'Fixes' tag if this is a fix that
> needs to be backported.
>
> Thanks!
Confused because this code was never right? From 2008 there was a
rewrite that instantiated this fragment of code so that it could handle
continuations for overloaded receive queues, but it was not right before
the adjustment.
Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP
entries non-atomically")
that is reaching back more than 12 years and the blame is poorly aimed
AFAIK.
Sincerely -- Mark Salyzyn
On Wed, Jul 22, 2020 at 03:20:59AM -0700, Mark Salyzyn wrote:
> On 7/22/20 2:33 AM, Steffen Klassert wrote:
> > On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote:
> > > In pfkey_dump() dplen and splen can both be specified to access the
> > > xfrm_address_t structure out of bounds in__xfrm_state_filter_match()
> > > when it calls addr_match() with the indexes. Return EINVAL if either
> > > are out of range.
> > >
> > > Signed-off-by: Mark Salyzyn <[email protected]>
> > > Cc: [email protected]
> > > Cc: [email protected]
> > > Cc: [email protected]
> > > ---
> > > Should be back ported to the stable queues because this is a out of
> > > bounds access.
> > Please do a v2 and add a proper 'Fixes' tag if this is a fix that
> > needs to be backported.
> >
> > Thanks!
>
> Confused because this code was never right? From 2008 there was a rewrite
> that instantiated this fragment of code so that it could handle
> continuations for overloaded receive queues, but it was not right before the
> adjustment.
>
> Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP
> entries non-atomically")
>
> that is reaching back more than 12 years and the blame is poorly aimed
> AFAIK.
This is just that the stable team knows how far they need to backport
it. If this was never right, then the initial git commit is the right
one for the fixes tag e.g. 'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")'