Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp2151422ybm; Thu, 23 May 2019 12:12:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqxFg3EwKqDLfRnlqRWqAvVgZ1Md2+8B8GcHOJ2j5jlXL5oanJoNGPsIuBXZNAJ3heOPwoAS X-Received: by 2002:a63:1512:: with SMTP id v18mr48452168pgl.69.1558638747470; Thu, 23 May 2019 12:12:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558638747; cv=none; d=google.com; s=arc-20160816; b=nqc4J/0twgFztgITdpyBgYGq/3jPq8Znm/8hlY7+PaR2XsDrah21o6iuC4Gcs2NFkU zRcm1LzCUg4SwhEElAtXKZdJPJgrXFcPQMJJLacT9c4wC/gVkYsQKQh6qlbrckIoL7fE 8t2hWcFS/asLhrwJ3ijLGFjVIHUnQaFSD8mYMKIzANgFMJNO8YFdY04M5TZpyCH72Hsn LLCjfecF0l3qtVEMY2Z7Vp7Twac5PwZkFGfeDqW/8TRr5teGCdPY3QFDyM8Xldqm66b4 nfCNTNYhQLh3XwvrlfbBj/LixXcSGESPf7L/uYjHHnme5TGh6HXvmVGo6t5+sqmS1rhy DDig== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yZc/budOPpda7ZyfR3175FI1/33r+xRWQ7k1AhtYBQA=; b=K4621cp8x4kReqabWzl8IzrZAfH4NdIGak68rydjfQ1WuLW0JOySh8hRd/diAzEwHK jNCyRkHGZQr+U6NiGBCdUa4aOYKOOa03gwha+Ce6dT+XxBOa1Ht1CRvv/R0e7MtrTXos k6Kfx5LN7bVFCRB7G6Frh/1LGsGFGcvrdGX6qAyGRDok/b6ge31UA61vERrmHYtF353C bqjqOilkusuiIiIABEE+p/pKz++V0jEUTeH/CxVno9QUAihZ2qOCPWoAZL7Eqxe3d+rB FhJoHYw2Bv92nUuXY7shq6lS0vsojDGsSHb3Pza8v+nAVg6aLufmP1nlC+dP/gb8POQ/ Yyfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eR45xY4c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m7si527297plt.392.2019.05.23.12.12.12; Thu, 23 May 2019 12:12:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eR45xY4c; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387774AbfEWTKV (ORCPT + 99 others); Thu, 23 May 2019 15:10:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:43600 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387758AbfEWTKR (ORCPT ); Thu, 23 May 2019 15:10:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id B7EA2217D9; Thu, 23 May 2019 19:10:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558638616; bh=pmBBXIbYx9wCoD61HcVaYTtByq2Ucu7mp3cgX6Lf/mA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eR45xY4cjtk2Xpq0/3pMyWlivdlT5fBhwMyoB18360gB+Jk09wJsUOgAsoaL+FUHh OE9lTb/rx+I39KUaDK0C7+npOxxfaWFrwod9R30JnHFhqlMnyLretoC6j+uJOLkAUL /gGyFV7CfBirqhe7MBm7YjtuFvNNHKZu66WcvRM8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steffen Klassert , Sasha Levin Subject: [PATCH 4.9 45/53] xfrm4: Fix uninitialized memory read in _decode_session4 Date: Thu, 23 May 2019 21:06:09 +0200 Message-Id: <20190523181718.097234570@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190523181710.981455400@linuxfoundation.org> References: <20190523181710.981455400@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ] We currently don't reload pointers pointing into skb header after doing pskb_may_pull() in _decode_session4(). So in case pskb_may_pull() changed the pointers, we read from random memory. Fix this by putting all the needed infos on the stack, so that we don't need to access the header pointers after doing pskb_may_pull(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/ipv4/xfrm4_policy.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 622e158a6fc40..1805413cd2251 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -108,7 +108,8 @@ static void _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) { const struct iphdr *iph = ip_hdr(skb); - u8 *xprth = skb_network_header(skb) + iph->ihl * 4; + int ihl = iph->ihl; + u8 *xprth = skb_network_header(skb) + ihl * 4; struct flowi4 *fl4 = &fl->u.ip4; int oif = 0; @@ -119,6 +120,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) fl4->flowi4_mark = skb->mark; fl4->flowi4_oif = reverse ? skb->skb_iif : oif; + fl4->flowi4_proto = iph->protocol; + fl4->daddr = reverse ? iph->saddr : iph->daddr; + fl4->saddr = reverse ? iph->daddr : iph->saddr; + fl4->flowi4_tos = iph->tos; + if (!ip_is_fragment(iph)) { switch (iph->protocol) { case IPPROTO_UDP: @@ -130,7 +136,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 4 - skb->data)) { __be16 *ports; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ports = (__be16 *)xprth; fl4->fl4_sport = ports[!!reverse]; @@ -143,7 +149,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 2 - skb->data)) { u8 *icmp; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; icmp = xprth; fl4->fl4_icmp_type = icmp[0]; @@ -156,7 +162,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 4 - skb->data)) { __be32 *ehdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ehdr = (__be32 *)xprth; fl4->fl4_ipsec_spi = ehdr[0]; @@ -168,7 +174,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 8 - skb->data)) { __be32 *ah_hdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ah_hdr = (__be32 *)xprth; fl4->fl4_ipsec_spi = ah_hdr[1]; @@ -180,7 +186,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 4 - skb->data)) { __be16 *ipcomp_hdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ipcomp_hdr = (__be16 *)xprth; fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); @@ -193,7 +199,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) __be16 *greflags; __be32 *gre_hdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; greflags = (__be16 *)xprth; gre_hdr = (__be32 *)xprth; @@ -210,10 +216,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) break; } } - fl4->flowi4_proto = iph->protocol; - fl4->daddr = reverse ? iph->saddr : iph->daddr; - fl4->saddr = reverse ? iph->daddr : iph->saddr; - fl4->flowi4_tos = iph->tos; } static inline int xfrm4_garbage_collect(struct dst_ops *ops) -- 2.20.1