Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2972595imu;
        Sun, 9 Dec 2018 14:01:44 -0800 (PST)
X-Google-Smtp-Source: AFSGD/UHeJzl6baZF9m3nQE9S1d+16VLVRNC/RC8CgP8u6e0MniGE4INFSY4wAbkk+Ws7mLSS4By
X-Received: by 2002:a63:ee0e:: with SMTP id e14mr8667835pgi.8.1544392904736;
        Sun, 09 Dec 2018 14:01:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1544392904; cv=none;
        d=google.com; s=arc-20160816;
        b=x8tF6fzXKOXnpzDglZ6xqBBrkzrAly8UJc+aEngwB7djX1+HjSbofqjFkPjC7GPBxK
         mgguA1OplIV/pqpmAiZFAM0/eMkLFF8v7i6ge+tYdpVEBWq7DuypFAojyOS+JnynIlM+
         Mg0rEhftLQiy2BpxFvnDaj1ci4bVwz7xB+5vyHDqCIkvOXMjcjA8SlKFvM4e9yby0fLA
         8Shgmt0sVWIHevvhrwvpq10kw/8/KoDgwBKlPD1HZ3GDYRLpakGmX+k1QA5JG5doBAhK
         Axacq7vjMnu7indvmkNYJs2SJCre22W//xbrtfBpcC5KDxwOjsP16OwYfzSW0fsFtUMm
         mTmw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to
         :from:mime-version:content-transfer-encoding:content-disposition;
        bh=Psd+8K4F27uidBPMPDhxXpToYVeh6el6zQ4chOGlDOY=;
        b=fxAmUh0F87AiI8MBtJrjIV9pjP8lL1qtVyooZTnIL5ijVCgXft5yZy9zZbvIi3Xnf+
         UgIy6D4+rB5J4w3zOOOUhwYkQRr8wJIaNtvOlB6kECGZ+u/uEju8ebgyN0vwlW9urHKv
         2LTo71b119HGiGyBMDEkvFke7GtspoV2mn2sZaZAUWOzW4tLZebs9FDAyj/Z7HWbobYT
         motJLg2kss5B+E4J9k8RW92kU/FABzh9HiSaGwhcVmC3bGk8Xb/kWGDTm2asuh3dhQLT
         U2npudCL4m0ccsTbO2L1KjbPho9X5k/BtrCG7uKOy7SRQd5uiqswZxo9Cp/b/0zwm76U
         /7lg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id q24si8197302pgi.334.2018.12.09.14.01.29;
        Sun, 09 Dec 2018 14:01:44 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726718AbeLIVzf (ORCPT <rfc822;atom.tux.beastie@gmail.com>
        + 99 others); Sun, 9 Dec 2018 16:55:35 -0500
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:34874 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726438AbeLIVzP (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 9 Dec 2018 16:55:15 -0500
Received: from pub.yeoldevic.com ([81.174.156.145] helo=deadeye)
        by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
        (Exim 4.89)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW72e-0002ic-7y; Sun, 09 Dec 2018 21:55:12 +0000
Received: from ben by deadeye with local (Exim 4.91)
        (envelope-from <ben@decadent.org.uk>)
        id 1gW72b-0003L3-Ov; Sun, 09 Dec 2018 21:55:09 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
From:   Ben Hutchings <ben@decadent.org.uk>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
CC:     akpm@linux-foundation.org,
        "Steffen Klassert" <steffen.klassert@secunet.com>,
        "Air Icy" <icytxw@gmail.com>
Date:   Sun, 09 Dec 2018 21:50:33 +0000
Message-ID: <lsq.1544392233.397082462@decadent.org.uk>
X-Mailer: LinuxStableQueue (scripts by bwh)
X-Patchwork-Hint: ignore
Subject: [PATCH 3.16 098/328] xfrm: Validate address prefix lengths in the
 xfrm selector.
In-Reply-To: <lsq.1544392232.713909046@decadent.org.uk>
X-SA-Exim-Connect-IP: 81.174.156.145
X-SA-Exim-Mail-From: ben@decadent.org.uk
X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

3.16.62-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Steffen Klassert <steffen.klassert@secunet.com>

commit 07bf7908950a8b14e81aa1807e3c667eab39287a upstream.

We don't validate the address prefix lengths in the xfrm
selector we got from userspace. This can lead to undefined
behaviour in the address matching functions if the prefix
is too big for the given address family. Fix this by checking
the prefixes and refuse SA/policy insertation when a prefix
is invalid.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Air Icy <icytxw@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
 net/xfrm/xfrm_user.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -150,10 +150,16 @@ static int verify_newsa_info(struct xfrm
 	err = -EINVAL;
 	switch (p->family) {
 	case AF_INET:
+		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+			goto out;
+
 		break;
 
 	case AF_INET6:
 #if IS_ENABLED(CONFIG_IPV6)
+		if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
+			goto out;
+
 		break;
 #else
 		err = -EAFNOSUPPORT;
@@ -1227,10 +1233,16 @@ static int verify_newpolicy_info(struct
 
 	switch (p->sel.family) {
 	case AF_INET:
+		if (p->sel.prefixlen_d > 32 || p->sel.prefixlen_s > 32)
+			return -EINVAL;
+
 		break;
 
 	case AF_INET6:
 #if IS_ENABLED(CONFIG_IPV6)
+		if (p->sel.prefixlen_d > 128 || p->sel.prefixlen_s > 128)
+			return -EINVAL;
+
 		break;
 #else
 		return  -EAFNOSUPPORT;