Received: by 10.213.65.68 with SMTP id h4csp755123imn; Fri, 6 Apr 2018 08:21:08 -0700 (PDT) X-Google-Smtp-Source: AIpwx48f6H9f69i0rqD7z/0c6YOPwysQ52PVuBUVqaWVtXAapUdD9BnkYEerpb0mxZQ8L3/J2rUy X-Received: by 10.98.35.90 with SMTP id j87mr20854607pfj.59.1523028068652; Fri, 06 Apr 2018 08:21:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523028068; cv=none; d=google.com; s=arc-20160816; b=SnjIG++z8hOcrXUsxh922Su8mDKhcURBNzGFlALN6vGPeNiagUUXZ8UntMv7N94YlZ C7hngqqe000T6YTlesfq2wEzV7JhrXUYG7az7TwQPrtu4GNocNS1HQihNP3v72NFVCT3 xL6sWuPmHBiZ8JoSDzLe+ZzZo81wkM8wu8Y9oLgb0CgKE78VUhmDxx4wp5WfiyeEnbwd li5pIejAjxJwbh3SdbJfDxsQFtHCfeIvH3TVdmK+DP8aclagRg4TyZ2wMsTiY4T4+7lM AlexPp5/c9kTh6GllzmYXp+xaJWY6qxbBj2Wqw3OhQdHm7cwUGv3yD0NqukgPnNN0c3n aTmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=9Xeg2PKFoMFVxg/qlEPhdV1mFLJhHc850kpewIaoIk8=; b=Dr/AgiiTXHzg+G1ml4EWgFFuasPcSTuPUqjfyVnwFmjj+5gy72um0UGJyWzySFWe4+ OumoLLZn10ymH8c2VgeJY5AkuYmayqkrG5fqYsOFXWvxAzihex9urrO2SaMXpW1H933G gl3v37q5tyBgDSlinyPTVnGsyZdhMKMqxThVBW8jfKTsxxIziiTUIqytwN7215wzMUfn NRpdEmXjFGGx4lcIR4iqIjlJVtplR6BJtiaJLVId/NTyOv75JEVl4URPiRXI0MfQcMjp iL3lVNag3zCiuuqpkkRJqvWKH82mNLauhr1cqO1Gz1BDheEukbXJk+g/IVqJ356h7bJs WXmw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y72si8227290pfi.46.2018.04.06.08.20.32; Fri, 06 Apr 2018 08:21:08 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754399AbeDFN23 (ORCPT + 99 others); Fri, 6 Apr 2018 09:28:29 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55376 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754383AbeDFN20 (ORCPT ); Fri, 6 Apr 2018 09:28:26 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id CC663AE0; Fri, 6 Apr 2018 13:28:25 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com, Mathias Krause , Florian Westphal , Steffen Klassert Subject: [PATCH 3.18 50/93] xfrm_user: uncoditionally validate esn replay attribute struct Date: Fri, 6 Apr 2018 15:23:19 +0200 Message-Id: <20180406084227.099421782@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180406084224.918716300@linuxfoundation.org> References: <20180406084224.918716300@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_user.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -120,22 +120,17 @@ static inline int verify_replay(struct x struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; struct xfrm_replay_state_esn *rs; - if (p->flags & XFRM_STATE_ESN) { - if (!rt) - return -EINVAL; - - rs = nla_data(rt); + if (!rt) + return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; - if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) - return -EINVAL; + rs = nla_data(rt); - if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && - nla_len(rt) != sizeof(*rs)) - return -EINVAL; - } + if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) + return -EINVAL; - if (!rt) - return 0; + if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && + nla_len(rt) != sizeof(*rs)) + return -EINVAL; /* As only ESP and AH support ESN feature. */ if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))