Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp2155099ybm; Thu, 23 May 2019 12:15:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqzgkafh3j2oRN+tmiD4xxXt3BpdPHQUVaMZdBWckMEwRV3VLQzledyYtdXGRosm9219QxjD X-Received: by 2002:a17:90a:372a:: with SMTP id u39mr3535430pjb.19.1558638953282; Thu, 23 May 2019 12:15:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558638953; cv=none; d=google.com; s=arc-20160816; b=febk9IvfmGcBeg8CN3byGbLJaGJOv5MzxYLWbkESkulWgqQyQn/Dk4SsIAW4Yf49dA jQKVJdbqlWet65PDIlgyTj/+FMDT0Ex1NKiz4+GUfFcJ342E1h6Cc04VqaQoFjXxXsHE lFr9u0arcH3gPWg/Exz1RfQTm8BRBnelJMX2RBTU0s/u6zpu/F+HiKGCP2aAay6NW6Uz QOO5qpqx4hcioY80RWq0AQS3Do2E9DgSwrjxcGTnsfbeOHJuR6E5c+uWJ2BPMH9Nrajr Y6WZV7NJovfHi4VTxAxIHeTMAWzlUJ6MDlWcZZ2hhzKxFiNR2khQtye2iKHYgVvoz1vm EJSQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=XKpfZJtlcnH7t8cLhQ6CvM4nhYUCEUPl0BlsDCy885s=; b=LMiOrA8NsIa2NKx6Q3PaLZSM372J+5K6dxMrdUsyvuAoqHxdI03+/7Z5Lq2ey/NB7A vPDrXCY2T1WfLmC+zy9Kp5WHWOUz9NLLcIyOAXPMLvhdA4BuwAcoQj/8e7fNN0uVQUm7 R/k//Qaff9Xmt0eFPUnERhfLXk4OQCFe6yrAxZVTkg54kXTynHXa91mJU7s9PFkkpcMr 0cCgAKcVrO21nSnrZTFt7uvnCQydR1I0gTktEnHCbVWycyCZ5eW3Z3bStiGKhbql8YmJ ufhoWOVufboMSbuD4vaBmhbv9AVP2sr/dDR+bf3beA8J/hkdNods3LUrXNY2RzG0F3Ix geEQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Z3pv2pP7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l17si306111pfd.202.2019.05.23.12.15.37; Thu, 23 May 2019 12:15:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Z3pv2pP7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388134AbfEWTNr (ORCPT + 99 others); Thu, 23 May 2019 15:13:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:47704 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388192AbfEWTNl (ORCPT ); Thu, 23 May 2019 15:13:41 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id BF90C20863; Thu, 23 May 2019 19:13:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558638820; bh=bGCIwPJkbLn5Adn3ggc+NWKE25oDMPDavsVzc8He8Us=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Z3pv2pP7RpL/gNjIQgKeh5GkO19+hy8xy3hrsqNP79gcr2Trwmxgd4Sy3UZxbvDxx e8UUTdAkR8Xgg4lG2KeDcipofJSY+apvdOsR/u+rcayaLiBS9PYAyGvhSeTGkLBB8d I2IFwaPuCnA8mxWrPYDgsg8tFflgNIPED5YCE8mU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Steffen Klassert , Sasha Levin Subject: [PATCH 4.14 60/77] xfrm4: Fix uninitialized memory read in _decode_session4 Date: Thu, 23 May 2019 21:06:18 +0200 Message-Id: <20190523181728.247459342@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190523181719.982121681@linuxfoundation.org> References: <20190523181719.982121681@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ] We currently don't reload pointers pointing into skb header after doing pskb_may_pull() in _decode_session4(). So in case pskb_may_pull() changed the pointers, we read from random memory. Fix this by putting all the needed infos on the stack, so that we don't need to access the header pointers after doing pskb_may_pull(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/ipv4/xfrm4_policy.c | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/net/ipv4/xfrm4_policy.c b/net/ipv4/xfrm4_policy.c index 4b586e7d56370..5952dca98e6b7 100644 --- a/net/ipv4/xfrm4_policy.c +++ b/net/ipv4/xfrm4_policy.c @@ -111,7 +111,8 @@ static void _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) { const struct iphdr *iph = ip_hdr(skb); - u8 *xprth = skb_network_header(skb) + iph->ihl * 4; + int ihl = iph->ihl; + u8 *xprth = skb_network_header(skb) + ihl * 4; struct flowi4 *fl4 = &fl->u.ip4; int oif = 0; @@ -122,6 +123,11 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) fl4->flowi4_mark = skb->mark; fl4->flowi4_oif = reverse ? skb->skb_iif : oif; + fl4->flowi4_proto = iph->protocol; + fl4->daddr = reverse ? iph->saddr : iph->daddr; + fl4->saddr = reverse ? iph->daddr : iph->saddr; + fl4->flowi4_tos = iph->tos; + if (!ip_is_fragment(iph)) { switch (iph->protocol) { case IPPROTO_UDP: @@ -133,7 +139,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 4 - skb->data)) { __be16 *ports; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ports = (__be16 *)xprth; fl4->fl4_sport = ports[!!reverse]; @@ -146,7 +152,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 2 - skb->data)) { u8 *icmp; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; icmp = xprth; fl4->fl4_icmp_type = icmp[0]; @@ -159,7 +165,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 4 - skb->data)) { __be32 *ehdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ehdr = (__be32 *)xprth; fl4->fl4_ipsec_spi = ehdr[0]; @@ -171,7 +177,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 8 - skb->data)) { __be32 *ah_hdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ah_hdr = (__be32 *)xprth; fl4->fl4_ipsec_spi = ah_hdr[1]; @@ -183,7 +189,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) pskb_may_pull(skb, xprth + 4 - skb->data)) { __be16 *ipcomp_hdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; ipcomp_hdr = (__be16 *)xprth; fl4->fl4_ipsec_spi = htonl(ntohs(ipcomp_hdr[1])); @@ -196,7 +202,7 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) __be16 *greflags; __be32 *gre_hdr; - xprth = skb_network_header(skb) + iph->ihl * 4; + xprth = skb_network_header(skb) + ihl * 4; greflags = (__be16 *)xprth; gre_hdr = (__be32 *)xprth; @@ -213,10 +219,6 @@ _decode_session4(struct sk_buff *skb, struct flowi *fl, int reverse) break; } } - fl4->flowi4_proto = iph->protocol; - fl4->daddr = reverse ? iph->saddr : iph->daddr; - fl4->saddr = reverse ? iph->daddr : iph->saddr; - fl4->flowi4_tos = iph->tos; } static void xfrm4_update_pmtu(struct dst_entry *dst, struct sock *sk, -- 2.20.1