Received: by 10.213.65.68 with SMTP id h4csp664042imn; Fri, 6 Apr 2018 07:00:26 -0700 (PDT) X-Google-Smtp-Source: AIpwx486cO3efClPkQlKQ2AcmI55Z+OMoFFKNy7iILh7D2LPTs9VD34ALepj1gb9l9hM2J54VpZn X-Received: by 10.98.190.19 with SMTP id l19mr7642350pff.239.1523023226928; Fri, 06 Apr 2018 07:00:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523023226; cv=none; d=google.com; s=arc-20160816; b=qAUnw4SO8V+OdSqAN2Xy2OdKi8s+2D7/T7Q/7ZKk8AmgFHqQJFWYOIM8ZzwlGd0aQv llXeaaDIr16VrSAiMIJGMpRBfXBlvVsbWzUcQsw95ErOhgsKZsD/6JpXAvRPB2zB8Xy7 fUANPB3DAvVWM8XnjT/J3qPtBsXU24Uah1Fori2W/+Z/iDdi9ihiFMhrGbId9MuZtv+t FhigOX+e5D0EbPJf5eXtGIfqkeQSBKPHtoLZ6KMAa3RIhK5fLsPMqhFq5ZizXxbf2yw4 ViljTBVDzljePnenv39YOeH0G2dZuwojHdqkMv+U3izYqaSgPs0HRBPig2rI4LGf5NyM WNzg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=SleOJK9YIeauy/WSJ3N5taT8jgQna/eYzxVdshtuAwk=; b=zB3zywYU8zQKP3Yi5guzfefpW3AHOiu44y7jr6/bdIzCsIE7fdLxVo7VLhkgW2Zp96 c3ZkMU4RKFqWhGhouvTvHyUp6mxm1dTVqBlazyAM+woaa/yxjMi76xeK1UNXJJ2EbDtm zfEUaeO5Ud94pxBK4qattpbvyLtMScEfgtB8TTAGoldNDdjaqdhBJOewzUQvRnsGbXuP gSy8ozv2tsVgbfvEe5hqRivZJ1cScJMSbpQxEYBO2S5sjGjHWGRgHTyWaKO2Di+tcUXL CJLCfPwg8VBeri9WP+igFjgQcSpVVfpDoz6t2eMMS73PTtTrXfQ4+71rIK7Yw9UbqVL0 NwEw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f6si8131982pfb.258.2018.04.06.07.00.10; Fri, 06 Apr 2018 07:00:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753045AbeDFN7E (ORCPT + 99 others); Fri, 6 Apr 2018 09:59:04 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:37118 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756638AbeDFNmu (ORCPT ); Fri, 6 Apr 2018 09:42:50 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 34B52D8D; Fri, 6 Apr 2018 13:42:50 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com, Mathias Krause , Florian Westphal , Steffen Klassert Subject: [PATCH 4.15 20/72] xfrm_user: uncoditionally validate esn replay attribute struct Date: Fri, 6 Apr 2018 15:23:55 +0200 Message-Id: <20180406084351.106100049@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084349.367583460@linuxfoundation.org> References: <20180406084349.367583460@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_user.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -121,22 +121,17 @@ static inline int verify_replay(struct x struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; struct xfrm_replay_state_esn *rs; - if (p->flags & XFRM_STATE_ESN) { - if (!rt) - return -EINVAL; - - rs = nla_data(rt); + if (!rt) + return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; - if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) - return -EINVAL; + rs = nla_data(rt); - if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) && - nla_len(rt) != sizeof(*rs)) - return -EINVAL; - } + if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) + return -EINVAL; - if (!rt) - return 0; + if (nla_len(rt) < (int)xfrm_replay_state_esn_len(rs) && + nla_len(rt) != sizeof(*rs)) + return -EINVAL; /* As only ESP and AH support ESN feature. */ if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))