Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp2000048imm;
        Thu, 14 Jun 2018 07:15:53 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKLkqUq6arfN0oGHRjt0fQY0imMxwUFfXa2QNGSIerznRJHnxxrXHNjPgakatryXQOYJ2FOF
X-Received: by 2002:a63:b812:: with SMTP id p18-v6mr2572380pge.11.1528985753771;
        Thu, 14 Jun 2018 07:15:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528985753; cv=none;
        d=google.com; s=arc-20160816;
        b=kf2r+GDtVkcBZ2AxzEpaOIb2f5P6WpbkoqomeaWxNCPA35orsLiI6VBfdQePi6GoLW
         cMBT3rvmkQhw5FpH0GVmYr7pjavuJqcuETh5cjMyg9jld8dvuSBgpTniz8EHQQJk8zsa
         MEV65gkTGkOQtEtDSuZQ8e2ZPgqlugtORYrtKDyAwBKzqALPLf2fZxpXScS2sFzr80M+
         mNh20XIpuVWVqQ78jgrPaYNR9pNvSFuLzsNGgv6tPetA0yFf/QhNEmROGPbSTG8vI02e
         HCgdBkf289mL9gtRPA+ioxxE9FnpDXTdo6p6dCJx9ChGBnp/sQ2jH+KxZWciTE8V1w0u
         EbQw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from:dkim-signature
         :arc-authentication-results;
        bh=K1AGHzCiYq5CV++jyqhR2D0aWAXW7Z64aGA9C/Y5qrg=;
        b=0o4LjukLanXwQ/pczC9RQr5mTmjxw5eVeYVKA+Ws52vP8KE38FzijTz5U7IxbgQAIa
         Y+S+J7ZVQa7ECN6aiOIRnw43lTsaXXpj5JV7XLPJs915/XbnglEBXJmmu3hRUwYqpTRu
         qUDi5ukVSAXfFIty4FiXRVNOlvjRtZ+4VJEZtQ7JKt6Gkt48dZhPivw/U6G8NoMisE6P
         DWh8wQW7cwqPw1FYNts1l9f1hgMpJnnOwQRHtEcVIxY4Jn5SKGXrIFzneB/NGNzs607H
         ShS6D3HEFgMS17ltfYJvBOA0mTOVS/FIOx+yeo63CK4S3ZPoUHkA7/O9srV4ZV58Ew4u
         ffpw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=MYoIjXJM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h8-v6si5798546plr.268.2018.06.14.07.15.39;
        Thu, 14 Jun 2018 07:15:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=MYoIjXJM;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S966368AbeFNOOa (ORCPT <rfc822;yingkeliu@gmail.com> + 99 others);
        Thu, 14 Jun 2018 10:14:30 -0400
Received: from mail.kernel.org ([198.145.29.99]:55634 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S966338AbeFNON7 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 14 Jun 2018 10:13:59 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 82589208DB;
        Thu, 14 Jun 2018 14:13:58 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1528985639;
        bh=kRMCiw9WOG4RZKSyhWnXKvt+bi+lfYF7d3hENE3JjlI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=MYoIjXJMyAzR/vqgK3SNkt11eetsF7dyjCoDBPqHIkDV85iEhwW7TFJh7i4ktcJ0U
         ksLlwYcDUa8xjDi+yqTQz6abfpT7CFZSn9FrTbZU6iH3QRFqMwXgKErf4VQHlwk5IW
         q0KxudvN7JgXe9vJX4d/jhjjHtypoulGH4xMIEz4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Kevin Easton <kevin@guarana.org>,
        syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com,
        Steffen Klassert <steffen.klassert@secunet.com>,
        Zubin Mithra <zsm@chromium.org>
Subject: [PATCH 4.4 13/24] af_key: Always verify length of provided sadb_key
Date:   Thu, 14 Jun 2018 16:05:08 +0200
Message-Id: <20180614132725.021261351@linuxfoundation.org>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20180614132724.483802160@linuxfoundation.org>
References: <20180614132724.483802160@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.4-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kevin Easton <kevin@guarana.org>

commit 4b66af2d6356a00e94bcdea3e7fea324e8b5c6f4 upstream.

Key extensions (struct sadb_key) include a user-specified number of key
bits.  The kernel uses that number to determine how much key data to copy
out of the message in pfkey_msg2xfrm_state().

The length of the sadb_key message must be verified to be long enough,
even in the case of SADB_X_AALG_NULL.  Furthermore, the sadb_key_len value
must be long enough to include both the key data and the struct sadb_key
itself.

Introduce a helper function verify_key_len(), and call it from
parse_exthdrs() where other exthdr types are similarly checked for
correctness.

Signed-off-by: Kevin Easton <kevin@guarana.org>
Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/key/af_key.c |   45 +++++++++++++++++++++++++++++++++++----------
 1 file changed, 35 insertions(+), 10 deletions(-)

--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -437,6 +437,24 @@ static int verify_address_len(const void
 	return 0;
 }
 
+static inline int sadb_key_len(const struct sadb_key *key)
+{
+	int key_bytes = DIV_ROUND_UP(key->sadb_key_bits, 8);
+
+	return DIV_ROUND_UP(sizeof(struct sadb_key) + key_bytes,
+			    sizeof(uint64_t));
+}
+
+static int verify_key_len(const void *p)
+{
+	const struct sadb_key *key = p;
+
+	if (sadb_key_len(key) > key->sadb_key_len)
+		return -EINVAL;
+
+	return 0;
+}
+
 static inline int pfkey_sec_ctx_len(const struct sadb_x_sec_ctx *sec_ctx)
 {
 	return DIV_ROUND_UP(sizeof(struct sadb_x_sec_ctx) +
@@ -533,16 +551,25 @@ static int parse_exthdrs(struct sk_buff
 				return -EINVAL;
 			if (ext_hdrs[ext_type-1] != NULL)
 				return -EINVAL;
-			if (ext_type == SADB_EXT_ADDRESS_SRC ||
-			    ext_type == SADB_EXT_ADDRESS_DST ||
-			    ext_type == SADB_EXT_ADDRESS_PROXY ||
-			    ext_type == SADB_X_EXT_NAT_T_OA) {
+			switch (ext_type) {
+			case SADB_EXT_ADDRESS_SRC:
+			case SADB_EXT_ADDRESS_DST:
+			case SADB_EXT_ADDRESS_PROXY:
+			case SADB_X_EXT_NAT_T_OA:
 				if (verify_address_len(p))
 					return -EINVAL;
-			}
-			if (ext_type == SADB_X_EXT_SEC_CTX) {
+				break;
+			case SADB_X_EXT_SEC_CTX:
 				if (verify_sec_ctx_len(p))
 					return -EINVAL;
+				break;
+			case SADB_EXT_KEY_AUTH:
+			case SADB_EXT_KEY_ENCRYPT:
+				if (verify_key_len(p))
+					return -EINVAL;
+				break;
+			default:
+				break;
 			}
 			ext_hdrs[ext_type-1] = (void *) p;
 		}
@@ -1111,14 +1138,12 @@ static struct xfrm_state * pfkey_msg2xfr
 	key = ext_hdrs[SADB_EXT_KEY_AUTH - 1];
 	if (key != NULL &&
 	    sa->sadb_sa_auth != SADB_X_AALG_NULL &&
-	    ((key->sadb_key_bits+7) / 8 == 0 ||
-	     (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+	    key->sadb_key_bits == 0)
 		return ERR_PTR(-EINVAL);
 	key = ext_hdrs[SADB_EXT_KEY_ENCRYPT-1];
 	if (key != NULL &&
 	    sa->sadb_sa_encrypt != SADB_EALG_NULL &&
-	    ((key->sadb_key_bits+7) / 8 == 0 ||
-	     (key->sadb_key_bits+7) / 8 > key->sadb_key_len * sizeof(uint64_t)))
+	    key->sadb_key_bits == 0)
 		return ERR_PTR(-EINVAL);
 
 	x = xfrm_state_alloc(net);