Received: by 10.223.185.116 with SMTP id b49csp1140701wrg; Fri, 23 Feb 2018 12:39:30 -0800 (PST) X-Google-Smtp-Source: AH8x225fxRjYOpwM9xH1PNjlWc2uRfY9u4JNRhynt4FhVbZfa9HTT2JXOCjaQkgr8pw1IoEAkxtD X-Received: by 2002:a17:902:2de4:: with SMTP id p91-v6mr2836331plb.405.1519418370475; Fri, 23 Feb 2018 12:39:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519418370; cv=none; d=google.com; s=arc-20160816; b=g5WridDGkPfGr6AEFs9f3scyNSq59DqGul88teLsOWLfOWA+89yA70crr6m2juUaKf XT4ifMbhhfXBDTLAEkVkdwpx+gNTlmrhjMYhv/Fz54UVQ3GU+F96qIdJOkQT9hF8LyP9 yvcbE5ZrYQYtvOMOOgURAWrJPznq5WhMm3eaDL0bqUQQw2WiOY4ToP1figeHQujMYTpp OCisVyX+c97MzVQqh/e4eObkZHkf9IxhMBYAcO8snUSC0JZjhM/oZKc6DjmBWQeSCACM sKXvkmmdyLRRFmsAextnXjsyDNt46AIl/p/5fG5axI1eHa1XMRWo/hZRSZYv1NCBKtIN dX2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=Z430NQdBWr/2EFJ1NtkrIp3coxA/9/ua68ie58fXdlc=; b=JfQfvxsXSCcZ3JDtyfSvoRBjKFsxCbH4QfqRGE1/zBwhlqtMdKDfktF/1RA1jAKyN4 FYRl9zJZUjbycgYONgn6iKepJefiKKARkCFOQFsJQCCUPlky2wzOhs6+C8peDE3oZvqZ TIDZ79Fvc7peLgTvkwW43gMlBkYLekM3GgTsTYdwhNPv2GIvLJd4JNbgxjU0f8FnCVxq Yxu5msbOcJ6cxQvs/wIiZHDAysIPF2xzTUdrjQ5TY+U5sYbtlJL0n850rTiXkD1RwyH0 4I01TnXIBcT2ght73kBAU7SIMhQxbO8+ccgFDlXescS6Mgi9zj3WjVrm4JuOabIhakhK czzw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g66si1937564pgc.374.2018.02.23.12.39.15; Fri, 23 Feb 2018 12:39:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753490AbeBWSeN (ORCPT + 99 others); Fri, 23 Feb 2018 13:34:13 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:36828 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753482AbeBWSeL (ORCPT ); Fri, 23 Feb 2018 13:34:11 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 08B58123E; Fri, 23 Feb 2018 18:34:10 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot , Steffen Klassert Subject: [PATCH 4.4 005/193] xfrm: Fix stack-out-of-bounds read on socket policy lookup. Date: Fri, 23 Feb 2018 19:23:58 +0100 Message-Id: <20180223170326.927973666@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180223170325.997716448@linuxfoundation.org> References: <20180223170325.997716448@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Steffen Klassert commit ddc47e4404b58f03e98345398fb12d38fe291512 upstream. When we do tunnel or beet mode, we pass saddr and daddr from the template to xfrm_state_find(), this is ok. On transport mode, we pass the addresses from the flowi, assuming that the IP addresses (and address family) don't change during transformation. This assumption is wrong in the IPv4 mapped IPv6 case, packet is IPv4 and template is IPv6. Fix this by catching address family missmatches of the policy and the flow already before we do the lookup. Reported-by: syzbot Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_policy.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -1225,9 +1225,15 @@ static struct xfrm_policy *xfrm_sk_polic read_lock_bh(&net->xfrm.xfrm_policy_lock); pol = rcu_dereference(sk->sk_policy[dir]); if (pol != NULL) { - bool match = xfrm_selector_match(&pol->selector, fl, family); + bool match; int err = 0; + if (pol->family != family) { + pol = NULL; + goto out; + } + + match = xfrm_selector_match(&pol->selector, fl, family); if (match) { if ((sk->sk_mark & pol->mark.m) != pol->mark.v) { pol = NULL;