Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp3073403imb; Mon, 4 Mar 2019 23:39:59 -0800 (PST) X-Google-Smtp-Source: APXvYqxsFpMHFbCsT/aTJ9jZP10KwqXkZMMGAVarQtXKQaxEwX0G8p8KZsRgb2r2sLdFGMPyForR X-Received: by 2002:a17:902:2aa8:: with SMTP id j37mr23909534plb.226.1551771599035; Mon, 04 Mar 2019 23:39:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551771599; cv=none; d=google.com; s=arc-20160816; b=dJo6ExUaj0fS2jQptfhzDtzcvyA9PNnpnEYEVrx+ZuTeyu18fGomMunVATa1BmS7kJ c2iT2TbnQSwpCMJ+ghr36DiwPL5WZaJ2e6y3GtajiayTvAOnqsIm+LOo6YXcNPkKHTYe X4XwCdO+pCFojmdFGTUrrR0vxtTXhrR8SqEu8nM8Q/poEUwCrlUJBUkWRNr7PGir11Dv nmOPZttp0oziKI6TZOOCCUN7bOc0A26TE8hAprXANMPm/vCfzYct4Z/pU9VOzEDdcPnD +pLu60DepjoaQW1Zm1FJHi53z6QkeKjo0BIEloL0CePFRbKA3ebJYGTdjOuGbVVkc4PV RC5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=yoAukaxb41LZMUHpK04oUpWJ5xw9Gvx41iTz+RjceSo=; b=UgNx7BYjCVi+wKbkj1xYRrJ8pxqQc73Y5qNWTN3YNLlaOuuKdRZJfmKHF5jvaUlWYU xvjhJL7ujKfNVHvFNoY96oTgtEuRnE4UjXG59eGdqiTfucFhth9H56SsNkeuL8ZtaZ17 YeeHC/uOGZhePUeJb2BH2qWOeUvEg5p7rhZ5a4bH0L24pBU2TP6hmVITnvEI3OKqNZBX k7bDmDtsK1R519XFPFqgSd58srVYHFX1w+oN5GSaBw5OErYC2zDTRl1AbB1d7EzqdNRR VZC1D5yErfOQdjUt0LZKEFAOilcoXJauo0JSt17rThtGl7iUbiberAdZp0c12iUEL5Wi Hakw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z190si7138378pgd.238.2019.03.04.23.39.43; Mon, 04 Mar 2019 23:39:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727120AbfCEHjW (ORCPT + 99 others); Tue, 5 Mar 2019 02:39:22 -0500 Received: from mail.cn.fujitsu.com ([183.91.158.132]:39105 "EHLO heian.cn.fujitsu.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725909AbfCEHjW (ORCPT ); Tue, 5 Mar 2019 02:39:22 -0500 X-IronPort-AV: E=Sophos;i="5.58,443,1544457600"; d="scan'208";a="55938545" Received: from unknown (HELO cn.fujitsu.com) ([10.167.33.5]) by heian.cn.fujitsu.com with ESMTP; 05 Mar 2019 15:39:20 +0800 Received: from G08CNEXCHPEKD03.g08.fujitsu.local (unknown [10.167.33.85]) by cn.fujitsu.com (Postfix) with ESMTP id 9BBF84C7F2C6; Tue, 5 Mar 2019 15:39:05 +0800 (CST) Received: from [10.167.226.33] (10.167.226.33) by G08CNEXCHPEKD03.g08.fujitsu.local (10.167.33.89) with Microsoft SMTP Server (TLS) id 14.3.408.0; Tue, 5 Mar 2019 15:39:20 +0800 Subject: Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds To: Steffen Klassert CC: Herbert Xu , , , References: <1551671259-21311-1-git-send-email-suyj.fnst@cn.fujitsu.com> <20190305064920.gcpwvkp7yikq33cy@gondor.apana.org.au> <20190305073117.GD14737@gauss3.secunet.de> From: "Su Yanjun " Message-ID: Date: Tue, 5 Mar 2019 15:39:19 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.3.3 MIME-Version: 1.0 In-Reply-To: <20190305073117.GD14737@gauss3.secunet.de> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [10.167.226.33] X-yoursite-MailScanner-ID: 9BBF84C7F2C6.AD0DD X-yoursite-MailScanner: Found to be clean X-yoursite-MailScanner-From: suyj.fnst@cn.fujitsu.com X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2019/3/5 15:31, Steffen Klassert wrote: > On Tue, Mar 05, 2019 at 03:08:49PM +0800, Su Yanjun wrote: >> On 2019/3/5 14:49, Herbert Xu wrote: >> >>> On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote: >>>> When i review xfrm_user.c code, i found some potentical bug in it. >>>> >>>> In xfrm_user_rcvmsg if type parameter from user space is set to >>>> XFRM_MSG_MAX or XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause >>>> xfrm_user_rcv_msg referring to null entry in xfrm_dispatch array. >>>> >>>> Signed-off-by: Su Yanjun >>>> --- >>>> net/xfrm/xfrm_user.c | 4 +++- >>>> 1 file changed, 3 insertions(+), 1 deletion(-) >>>> >>>> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c >>>> index a131f9f..d832783 100644 >>>> --- a/net/xfrm/xfrm_user.c >>>> +++ b/net/xfrm/xfrm_user.c >>>> @@ -2630,11 +2630,13 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh, >>>> return -EOPNOTSUPP; >>>> type = nlh->nlmsg_type; >>>> - if (type > XFRM_MSG_MAX) >>>> + if (type >= XFRM_MSG_MAX) >>>> return -EINVAL; >>> Your patch is wrong. Please check the definition of XFRM_MSG_MAX. >> I see, thanks for your reply. >> >> type -= XFRM_MSG_BASE; >> link = &xfrm_dispatch[type]; >> + if (!link) >> + return -EOPNOTSUPP; >> >> Here **link** may refer to null entry for special types such as >> XFRM_MSG_MAX or XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO >> Am i miss something? > 'link' is always a valid pointer into that array. Thanks Su