Received: by 10.213.65.68 with SMTP id h4csp693694imn; Fri, 6 Apr 2018 07:24:00 -0700 (PDT) X-Google-Smtp-Source: AIpwx49dOx0BR60PSqmFRdNv6HwjtZgLHHAkQwD8lbkmo/Rt8AmDobh5WQAjXrbqI8ALb41TG+ir X-Received: by 2002:a17:902:6547:: with SMTP id d7-v6mr27749198pln.253.1523024640038; Fri, 06 Apr 2018 07:24:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523024639; cv=none; d=google.com; s=arc-20160816; b=hAuYLPZzJX5B6bi6fjAsZy9uvTBagPj23sVMg660El1kL41D5ebbxkpOGMmk2kULkL Yc8AHiXddjUorcn1M/zbAnZewscxFtZHTBZIxJi5Tq79A3XeKz8IL3c0xwtSKjluAGL3 XFx7pW4CwY7pOhhWsE61RA9NwM6TE13FS7l1YG7cxAQlYx00f6CYFWgL/y6kA7Y8bF0K Y0S0Ba6z3/yIVIcPPXz1k7BpuwW8yRB6uOmYedjBS3RUOiv9AX33A+6Imph4UN+1LI8R BPRbUcYKfVkU6i0Vrnuv1v7oNKsYyHnJQXVqiE1Il3SZKWjQ7GpIyo700FmGJ5DHfJ6y i7/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=C/X+dsfdc5cpub4zhDxnCyZqAvustGlwkj+NoqJIi3E=; b=SNypCQMBuS0AdTsYanZXKYXplnEfZrzCzGdyIruSI2FObdmkG8hXZBlnl15wxmsi5s 0n/Qe6NY4NODcEWckd1h3iSLGKIcUCJgQeXmMDQmIUQ/A2Ff09yJUGHwO5w8XRbDDtvO lsshgv3gpMD6BQs3iP9gxJGt0foEGJVa/iqsxIg8aMwchoYLP3fHxnS7ImZYE1ivwwzh jmyVhjCX0XLlrCJ/z5M+s2wH3/f1YaPBOlvK9ycCnj95T1GZREtl6QSn/hvGjGdAo5j/ 2RyYVLiw9jD6L9up70V0Sw+HeJ0HMpO02sjbthgvF2M8ucBSS4LfDko1bbsksk91rYfN nRpQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s2si7998411pfb.39.2018.04.06.07.23.46; Fri, 06 Apr 2018 07:23:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932346AbeDFNhy (ORCPT + 99 others); Fri, 6 Apr 2018 09:37:54 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:33168 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932335AbeDFNhv (ORCPT ); Fri, 6 Apr 2018 09:37:51 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 4CF982D; Fri, 6 Apr 2018 13:37:50 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com, Mathias Krause , Florian Westphal , Steffen Klassert Subject: [PATCH 4.14 18/67] xfrm_user: uncoditionally validate esn replay attribute struct Date: Fri, 6 Apr 2018 15:23:48 +0200 Message-Id: <20180406084343.785950210@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084341.225558262@linuxfoundation.org> References: <20180406084341.225558262@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_user.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -121,22 +121,17 @@ static inline int verify_replay(struct x struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; struct xfrm_replay_state_esn *rs; - if (p->flags & XFRM_STATE_ESN) { - if (!rt) - return -EINVAL; - - rs = nla_data(rt); + if (!rt) + return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; - if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) - return -EINVAL; + rs = nla_data(rt); - if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && - nla_len(rt) != sizeof(*rs)) - return -EINVAL; - } + if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) + return -EINVAL; - if (!rt) - return 0; + if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && + nla_len(rt) != sizeof(*rs)) + return -EINVAL; /* As only ESP and AH support ESN feature. */ if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))