Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2235846imm; Thu, 7 Jun 2018 07:30:05 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJuRiKKTusLBcHbRlfZLtppSnfPaUiYw+3ZD/T//gUZ7s0Odsuvt9FcMfw5UZ6ZqC2WJTSK X-Received: by 2002:a65:4783:: with SMTP id e3-v6mr1799617pgs.235.1528381805387; Thu, 07 Jun 2018 07:30:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528381805; cv=none; d=google.com; s=arc-20160816; b=SpoF3Kyn1JyOUMuixOrxDLkrmM4onqRGFQDY4p/Xb6C7KjaHfmTuAXsPsE6hm5Kg4y eXTJ0KQUZGn2kg+HKErR+VJAI0KXASC1IkVe32roj2g/S0B/dQ0mkkZwdy44JgoR+aGr 8wJko9Uv02l8vLR/Ksl6lZXGzZdqe3HcZsjiG4KCpk6KQN2iKOsqn/0+80qHWZjnJVhz oYM9C/eJbXITxvV2lDk4M4cLfNwuGh/UvIfEKQThkVmE2Uhw86oLNs5bztwL1hl4fMX+ ObNzAj5yus48s6vG8Y66JWVln6g9CEBGo3d3JC3HuQuAD8aZqNV+IbsTdFAshDSxMq8/ x6Xw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=rCc2ixj1vn13EGVa74LiaSA0GUj7C+suRFEFJ2S8B2o=; b=Bax0jGRbdbEZ4p7q93aPsoVux6X6K63HMRGytFYur5HJoQ/UbxnShatf88tJ8fKWF7 DTqiBNKyePjWTXKlsWWn5w+ahHl3q5O928zfzkYcSfiGTjgEoUQ6AUQmi7A2OihB3Ff7 zjDXs+ij6a9hvrW8DvU4/C2pg5G1UwOt+vjE7FR+QJsgE+0QZMXjEUw7IZqn4p9xDlEP hpXSpSLcLivw5Aa+A2dVuUkqQDqQhLEfv8X4NtjRNsoouGIGMy3laEeRJd8pQTr1tQ6d suurM+8SR34Cgglm7GOr67LHH4yhn6IwChqt8eFASbxqu5jN0bbas1Owi/q6WXA09kK2 zuLA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a19-v6si23608743pgv.47.2018.06.07.07.29.50; Thu, 07 Jun 2018 07:30:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932917AbeFGOVu (ORCPT + 99 others); Thu, 7 Jun 2018 10:21:50 -0400 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:39442 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933078AbeFGOJK (ORCPT ); Thu, 7 Jun 2018 10:09:10 -0400 Received: from [148.252.241.226] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1fQvbA-0005Zq-Jh; Thu, 07 Jun 2018 15:09:08 +0100 Received: from ben by deadeye with local (Exim 4.91) (envelope-from ) id 1fQvb7-000332-9B; Thu, 07 Jun 2018 15:09:05 +0100 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Florian Westphal" , "Mathias Krause" , "Steffen Klassert" , syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Date: Thu, 07 Jun 2018 15:05:21 +0100 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 230/410] xfrm_user: uncoditionally validate esn replay attribute struct In-Reply-To: X-SA-Exim-Connect-IP: 148.252.241.226 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.57-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Florian Westphal commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream. The sanity test added in ecd7918745234 can be bypassed, validation only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care and just checks if the attribute itself is present. So always validate. Alternative is to reject if we have the attribute without the flag but that would change abi. Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com Cc: Mathias Krause Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid") Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows") Signed-off-by: Florian Westphal Signed-off-by: Steffen Klassert [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/xfrm/xfrm_user.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -120,22 +120,17 @@ static inline int verify_replay(struct x struct nlattr *rt = attrs[XFRMA_REPLAY_ESN_VAL]; struct xfrm_replay_state_esn *rs; - if (p->flags & XFRM_STATE_ESN) { - if (!rt) - return -EINVAL; - - rs = nla_data(rt); + if (!rt) + return (p->flags & XFRM_STATE_ESN) ? -EINVAL : 0; - if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) - return -EINVAL; + rs = nla_data(rt); - if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && - nla_len(rt) != sizeof(*rs)) - return -EINVAL; - } + if (rs->bmp_len > XFRMA_REPLAY_ESN_MAX / sizeof(rs->bmp[0]) / 8) + return -EINVAL; - if (!rt) - return 0; + if (nla_len(rt) < xfrm_replay_state_esn_len(rs) && + nla_len(rt) != sizeof(*rs)) + return -EINVAL; /* As only ESP and AH support ESN feature. */ if ((p->id.proto != IPPROTO_ESP) && (p->id.proto != IPPROTO_AH))