Received: by 10.213.65.68 with SMTP id h4csp750019imn; Sat, 7 Apr 2018 08:45:37 -0700 (PDT) X-Google-Smtp-Source: AIpwx488bgn7ju/PZ6NMHmWhATM3nauzZupFKj5L4+8Lj8jZxZ2Jl+gFv2Hz8rJIcRS48y9XSlJp X-Received: by 10.98.66.203 with SMTP id h72mr23753730pfd.156.1523115937329; Sat, 07 Apr 2018 08:45:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523115937; cv=none; d=google.com; s=arc-20160816; b=iUunkcswob+BWdERMzpEMHU4RczBzhzPz/VWpoBDTpxlxHChvZ1huSPhuStV+rKv+8 HGsLnAafZUqA/I7ahDVaMf4W4hZjFtD7wjK1Xx4TNCAQVorCpr1quo/002UNtcstgzJi 37bTYGb8ci8p4YREbXjbXRCazne1Os9COuGt6HedE8/pW9G/RkPZgQ7JyYReotbuolrW UVZVGh56B9hMFwzSigOrhHjoMDJaHrSP3WTenE5yAR3SqBOuMgNad6Y27Lph42R+0Ozi fYbdlws6AUE1UJyoqyVsiR5przUvG7K8x5ly18Bvu17JUcpyrwUq2ZDe7LuP5MnLZ2F6 Xj9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:to:from:date :arc-authentication-results; bh=RlfpKujDEvdBvVaoWGJQF84zFQ/hyvVAgByg1aRlEkw=; b=Pjznmqg4yDyDs3jerX+1SsjNsgwHj0Y9D5/PCmQbene/3hFDxL6v3adTuCP+FHkJlM lkAegAZot/S8cFWTfe+hv0oTfB0Y26iwloIlis0ZE8o+UArFUpHwznBanvUSs3pUxUmP A8M9/ZgjqvtyEg3qG2BxPigjTGOp9jaquJUBmDEs/KdjGRdl7VP10SAqhKTSJg3WWWOJ AFUqtctH8a6yu2FLle5Ov7WU9dPZWBI/GLU5fihtDxQ1fY18RhNf4wBf/Jmot7ErGahX FFo1N5R+m8SDWSFH0PcEWuEUqqOc2PGh1xPb/j64aMWJaEdCrKo/JSy0Qrbp7Ze1AHJE F/Og== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e21si8400045pgv.513.2018.04.07.08.44.27; Sat, 07 Apr 2018 08:45:37 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751975AbeDGPkU (ORCPT + 99 others); Sat, 7 Apr 2018 11:40:20 -0400 Received: from la.guarana.org ([173.254.219.205]:58264 "EHLO la.guarana.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751807AbeDGPkT (ORCPT ); Sat, 7 Apr 2018 11:40:19 -0400 Received: by la.guarana.org (Postfix, from userid 1006) id F35C13460323; Sat, 7 Apr 2018 11:40:18 -0400 (EDT) Date: Sat, 7 Apr 2018 11:40:18 -0400 From: Kevin Easton To: Steffen Klassert , Herbert Xu , "David S. Miller" , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org As found by syzbot, af_key does not properly validate the key length in sadb_key messages from userspace. This can result in copying from beyond the end of the sadb_key part of the message, or indeed beyond the end of the entire packet. Both these patches apply cleanly to ipsec-next. Based on Steffen's feedback I have re-ordered them so that the fix only is in patch 1, which I would suggest is also a stable tree candidate, whereas patch 2 is a cleanup only. Kevin Easton (2): af_key: Always verify length of provided sadb_key af_key: Use DIV_ROUND_UP() instead of open-coded equivalent net/key/af_key.c | 58 ++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 16 deletions(-) -- 2.8.1