Received: by 10.213.65.68 with SMTP id h4csp1280578imn; Mon, 26 Mar 2018 04:40:39 -0700 (PDT) X-Google-Smtp-Source: AG47ELunGBAjFVsHrtQiUSwcEUFcSLt5kbjMiDBNhjZjvqQzPJIEkY8tydRzhAdfARW7s32NVPoD X-Received: by 2002:a17:902:6941:: with SMTP id k1-v6mr21723607plt.185.1522064439617; Mon, 26 Mar 2018 04:40:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1522064439; cv=none; d=google.com; s=arc-20160816; b=ZsmBfzQYlakm3t6u3le1XEvNyo6NBx6X+vrrOEYmAGEtfpYHpuS41/t3ZiLl3uvvol mUKY0txvDFL4/Vv83NpnbQcIfXKK2tBp1qQP+gtmNYqWHODVGLZNksVkXxkQA1qcuwCB Ygi+0MFZR1wxg9YIv7iuhciPxSki9i/kG/PB9zoC1BV0xYvAPZwaGeQa4P7jOWAYl3GK W6u0vWfQVXaJM55fqfnmRBSQ9/B0rb554Wp3yBfatE13bVeVj0Y+Yg7qSHm+v199mzO9 5RMdjm6Y20Ol7DDcRnvw81/IWqpUUMD1MbVasT8DeUQMgZ1/t/kp7G2x2W8LfC8B5wtB v0nw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:to:from:date :arc-authentication-results; bh=JhiQrYgHBLyNdhsZu0zlxJBIpr5XgEfUp3eu8ehZv7s=; b=aQxgKKiV25eimWg4aFBOGqf4maNilDjC8u48lr2XaKVDYz67xTuHyWqL9AON3tDKdD 6FfaUfk1lp8SeVsYA+5jVYsisclFCTesbAVg3DR4/qeK5GPjGdtcCTQx8SgpDoy03X8K Xdt8heogIC2HXgNypGsosVxc9bvgCwPAMPY1j9Im8xDOo9yt+DCs0LwDtmLjmATgacag 0brB+hn5M2DgbxcghaVfjXdxEE+JeHw5IzOO+PC0VLETlArh97xrDNY0NEI0kTux9/ib dsAs4mFWSFmRwvxxwCWew/t35141gu1Qg92jF5ihRScYGcPOg1Re7q4O2nqkMAz4sah+ 8rTQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c3-v6si14849068pld.545.2018.03.26.04.40.25; Mon, 26 Mar 2018 04:40:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751380AbeCZLjK (ORCPT + 99 others); Mon, 26 Mar 2018 07:39:10 -0400 Received: from la.guarana.org ([173.254.219.205]:47364 "EHLO la.guarana.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751148AbeCZLjJ (ORCPT ); Mon, 26 Mar 2018 07:39:09 -0400 Received: by la.guarana.org (Postfix, from userid 1006) id E894C3460C54; Mon, 26 Mar 2018 07:39:06 -0400 (EDT) Date: Mon, 26 Mar 2018 07:39:06 -0400 From: Kevin Easton To: Steffen Klassert , Herbert Xu , "David S. Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 0/2] af_key: Fix for sadb_key memcpy read overrun Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As found by syzbot, af_key does not properly validate the key length in sadb_key messages from userspace. This can result in copying from beyond the end of the sadb_key part of the message, or indeed beyond the end of the entire packet. Kevin Easton (2): af_key: Use DIV_ROUND_UP() instead of open-coded equivalent af_key: Always verify length of provided sadb_key net/key/af_key.c | 58 ++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 16 deletions(-) -- 2.8.1