Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752040AbdHCLFw (ORCPT ); Thu, 3 Aug 2017 07:05:52 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:48978 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751208AbdHCLFu (ORCPT ); Thu, 3 Aug 2017 07:05:50 -0400 Date: Thu, 3 Aug 2017 13:05:47 +0200 From: Steffen Klassert To: Vladis Dronov CC: Herbert Xu , "David S . Miller" , , , Subject: Re: [PATCH] xfrm: policy: check policy direction value Message-ID: <20170803110547.GL2631@secunet.com> References: <20170802175014.20582-1-vdronov@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20170802175014.20582-1-vdronov@redhat.com> User-Agent: Mutt/1.5.24 (2015-08-30) X-G-Data-MailSecurity-for-Exchange-State: 0 X-G-Data-MailSecurity-for-Exchange-Error: 0 X-G-Data-MailSecurity-for-Exchange-Sender: 23 X-G-Data-MailSecurity-for-Exchange-Server: d65e63f7-5c15-413f-8f63-c0d707471c93 X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 X-G-Data-MailSecurity-for-Exchange-Guid: 714E4FCE-13C1-4CAC-B26F-DAD2DEB2389F Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 637 Lines: 14 On Wed, Aug 02, 2017 at 07:50:14PM +0200, Vladis Dronov wrote: > The 'dir' parameter in xfrm_migrate() is a user-controlled byte which is used > as an array index. This can lead to an out-of-bound access, kernel lockup and > DoS. Add a check for the 'dir' value. > > This fixes CVE-2017-11600. > > References: https://bugzilla.redhat.com/show_bug.cgi?id=1474928 > Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)") > Cc: # v2.6.21-rc1 > Reported-by: "bo Zhang" > Signed-off-by: Vladis Dronov Applied to the ipsec tree, thanks!