Received: by 10.213.65.68 with SMTP id h4csp709119imn; Fri, 6 Apr 2018 07:38:19 -0700 (PDT) X-Google-Smtp-Source: AIpwx49ArfapM8Wa82yKOXJsE+lllSh3PppwU18cGEinDnXnI8/QfMwOesNkjLgC1jv1bUehq9/c X-Received: by 10.98.157.6 with SMTP id i6mr20878209pfd.52.1523025499207; Fri, 06 Apr 2018 07:38:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523025499; cv=none; d=google.com; s=arc-20160816; b=euqxIPXp6lJwbGJ0VS1U/i9PxeCYy2Tnth5jZ6g60lkUBq9ULjN0JmnhPktz0YJHvO 8ybH3QBswkirKJSZZc0WLx/DE3oeZewtZUh+FyfBSWm3EwO0f5LiUXS0f4OQM5FkQTH/ bazef4jFHLmYf51erhhKCaBO+kRxcrdosXWZhiC5HKEgRcWu57+ukgsn0NJResH21s6q iotmucx1sjuOEcifBddAVb2QH9tb5tJyd8GW2OZuHVeJqyLQSRPLpqvbV/+52/mg6ip/ BtosJuRtYEGAfQlpkjyTjwkpb4XN1R6mWukpX0nhhqSUj6gNyV3EyGDwh2PecrhP6iHG Uj1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=eMFVMwGkm42c4ibdpRtJOCreDVNP5hAIjRh1PFnsRgA=; b=0qosGGTe2emZhdblHGbRb7L5vTzl0pT15aaHoGV/vqvgZZQrscbGYIfW4W2DgQfl3q YuRM3orOrb/kb8lo/ApzsGe0XX6+QBM2GUfRTYw74MNiMy8sIFyjghVmULYCCassXmWC 2CEXw2JNopSFY+5knzw1XDt0gtJhsz9xrVECjmppKuDRhOOD3oVVt0w76J3Nyl1kqXwa ZsUDoqIWH9jnZ0AzhCVWeLXNSQSUqY4o9JJgmba9CFBd3vuN+LvNpqQrPv6Cj0rxUsms NwOLZu4vljRfKfvmTFmmGgI7yAv12VKasrX1kR7O6KOrk6NT3PFOuwDeExlzYlWzxSXR uXsA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 3-v6si8564590plo.475.2018.04.06.07.38.05; Fri, 06 Apr 2018 07:38:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756095AbeDFOhE (ORCPT + 99 others); Fri, 6 Apr 2018 10:37:04 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:58810 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1755750AbeDFNfX (ORCPT ); Fri, 6 Apr 2018 09:35:23 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id E122BD85; Fri, 6 Apr 2018 13:35:22 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com, Mathias Krause , Florian Westphal , Steffen Klassert Subject: [PATCH 4.9 035/102] xfrm_user: uncoditionally validate esn replay attribute struct Date: Fri, 6 Apr 2018 15:23:16 +0200 Message-Id: <20180406084336.548646527@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084331.507038179@linuxfoundation.org> References: <20180406084331.507038179@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_user.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -121,22 +121,17 @@ static inline int verify_replay(struct x struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; struct xfrm_replay_state_esn *rs; - if (p->flags & XFRM_STATE_ESN) { - if (!rt) - return -EINVAL; - - rs = nla_data(rt); + if (!rt) + return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; - if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) - return -EINVAL; + rs = nla_data(rt); - if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && - nla_len(rt) != sizeof(*rs)) - return -EINVAL; - } + if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) + return -EINVAL; - if (!rt) - return 0; + if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && + nla_len(rt) != sizeof(*rs)) + return -EINVAL; /* As only ESP and AH support ESN feature. */ if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))