Received: by 10.213.65.68 with SMTP id h4csp737651imn; Fri, 6 Apr 2018 08:05:34 -0700 (PDT) X-Google-Smtp-Source: AIpwx49b0MRtljjCKz4PPGQegPQROUSoONLYWdVGSR9W4bINky1jH1ohZgNABBqreS+MjdMb6bB2 X-Received: by 10.99.49.143 with SMTP id x137mr18316845pgx.424.1523027134247; Fri, 06 Apr 2018 08:05:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523027134; cv=none; d=google.com; s=arc-20160816; b=ZQ3fvtF95z/zl1y9Nr/J23nU0fZ66AjquBzjyft8uS2zyaPFmlZTPDWy5Xyh0ZpxdF F65kUpmSjm5HyFQbPgDu+t4UkQBbQx5j7UMcsGeZeVxplB1XJEElYT1kbC1rxU0OPpOt D68OdGXyy9U1WSgZDkZj00EQp/5CesToA72zx7P5C4YkqJsL37hgzDTfEpPRDknlHK2F OgTcIaI9ya/93IqRuZqJV6ucfV+n5/F16OAgNr7iakRw8sDjtp5yUQ58JTkn0DGmaRjj n6ErFWWqIXPdBEP98quSvesq291S16Zi1kpzeZsSMqQyVDJe01Rqd+vmX7Rc7HLWZSWx OWmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=tY/YgS+XmkntmZU0iqwZe4QoCoR+lKFZeEpygF2OU+E=; b=ZZWUogYMXMioMkhYDaoPIY2T+aVwoD1FXiCgp69j1HO/+2NZO5GOJxMhQXLwvkroOA n+RZFvmp87S4sEIBAxPkpR3czEb3hE4NEb62e0VUTFVOARIT+2TeO/C/0Kj3ieacZj/D mkv7/ahHmkwocUcRV2ziqwvxsFp1bx626KvBryzplAu50LlV4wR7QAPLxuyNZd+q/m7q ZLUaW31lx5ukEB+qbhwXIP92mj+YiretVhdsaQI0lrrAgdQj8Z69M2wtKp6TKDFlcymp UWumIS6quz/nQNQcvFRIsWqymETIDJY0fr7p6K9XJn3GhUjDzogeNgIE1GLFg07dmPWT EX/g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b8-v6si10024713pll.146.2018.04.06.08.05.20; Fri, 06 Apr 2018 08:05:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754850AbeDFNaU (ORCPT + 99 others); Fri, 6 Apr 2018 09:30:20 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56094 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753171AbeDFNaR (ORCPT ); Fri, 6 Apr 2018 09:30:17 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 01F68CFE; Fri, 6 Apr 2018 13:30:16 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com, Mathias Krause , Florian Westphal , Steffen Klassert Subject: [PATCH 4.4 29/72] xfrm_user: uncoditionally validate esn replay attribute struct Date: Fri, 6 Apr 2018 15:23:30 +0200 Message-Id: <20180406084307.599112744@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084305.210085169@linuxfoundation.org> References: <20180406084305.210085169@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_user.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -121,22 +121,17 @@ static inline int verify_replay(struct x struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; struct xfrm_replay_state_esn *rs; - if (p->flags & XFRM_STATE_ESN) { - if (!rt) - return -EINVAL; - - rs = nla_data(rt); + if (!rt) + return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; - if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) - return -EINVAL; + rs = nla_data(rt); - if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && - nla_len(rt) != sizeof(*rs)) - return -EINVAL; - } + if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) + return -EINVAL; - if (!rt) - return 0; + if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && + nla_len(rt) != sizeof(*rs)) + return -EINVAL; /* As only ESP and AH support ESN feature. */ if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))