Received: by 2002:a25:86ce:0:0:0:0:0 with SMTP id y14csp2187410ybm; Thu, 23 May 2019 12:48:24 -0700 (PDT) X-Google-Smtp-Source: APXvYqzqHw6B93bJEiTb96dsPSMEW8jqJKbIx6US/S8p/21Ie+Tx5qVZSrxISuDjfadCoLwWIUD1 X-Received: by 2002:a17:90a:d98d:: with SMTP id d13mr3737803pjv.64.1558640904230; Thu, 23 May 2019 12:48:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1558640904; cv=none; d=google.com; s=arc-20160816; b=zumWLaauLVAXo52xA+cfP6D+itEKxszAYfiVkyIpTK5przVEn0TsHxuWZPh8uEoLx6 GwrdvmGEs2g0m6xr9TrAeQtFNpu/4M1kouuupOiTMu8nuoIxTOHmlI8tmuP5n4cXeG1q JWogfq2IQ89FoeX8KRuVMW3zZdxk+ioAc+kSD3FLXUl///VLys91QDP85GKAJwDUHXbQ vMRP7mxi0jgRKtHMUZRcUe0DhYtWnEw0+vBRs/szFlnaYYwe4haC/KlN67KajlsvPmru jJJnPrF1ZVAgBhBLAPU1JWyanxz1F6rVpqZNqXJzQNZcVRrUpZBoWO+LW9kF53cJEJhN cYnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=E0p284o/MycpF0h/bxnlZKQmQINFbQssFENlrymLLnw=; b=m3zdQo5Qxma7KcRfJ6oyCMRnJXv6VopIjBksF53u72ln4fPxMqtf0c/p8jptXEmar6 85PfutSOiVKQYm1J8595uVuRgCjsBET4nbJixrOrUjtKsEEKnQhN/H6DfNU30qI2IH4p YKsJKjtSnJqVzM2oonIIKLfzZizBKCLbCFEzmjUWuFiYYzkZkH88W8Y6URnx/7Nx2nt7 OJEEOafEu067sXJ+PlKwzmlJp+EB9ZtN0W3/5+9jHyG0Vlkfp/wz1kmycEIpQ7T6PDWm S1GnqMrFdcUMoutrcwkWUTVk0cV71hsk7YSzci2uY0FlmPFdkov/pJY4J1CpVpl7ZD2t XBHA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DzE1To5R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f14si704255pln.71.2019.05.23.12.48.09; Thu, 23 May 2019 12:48:24 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DzE1To5R; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388109AbfEWTNe (ORCPT + 99 others); Thu, 23 May 2019 15:13:34 -0400 Received: from mail.kernel.org ([198.145.29.99]:47502 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388589AbfEWTNb (ORCPT ); Thu, 23 May 2019 15:13:31 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1A27420863; Thu, 23 May 2019 19:13:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1558638809; bh=yeeWcnzm+aCWci0648kYiBaSVUa1CxVP6tQNh2gpbrU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DzE1To5R5JhzcFOm/gDMiaU78uoa8SiwMPsLcT/vKk8FSZS7rWHliA47Q+QdjS+ZU 4C8x00kf13QGuhtbXp50u58owFZkSNarjWZsu2D2qVeSNFISwGS10OacvSoAwfLrpU 4pCU/ntOSm1cQkae9CHHK2IcW7qeELdcX4nra7Zw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hulk Robot , YueHaibing , Herbert Xu , Steffen Klassert , Sasha Levin Subject: [PATCH 4.14 56/77] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Date: Thu, 23 May 2019 21:06:14 +0200 Message-Id: <20190523181727.691643997@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190523181719.982121681@linuxfoundation.org> References: <20190523181719.982121681@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ] UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80 ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x114/0x1a0 lib/dump_stack.c:51 [] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 [] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382 [] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289 [] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309 [] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243 [] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144 [] __run_timers kernel/time/timer.c:1218 [inline] [] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401 [] __do_softirq+0x299/0xe10 kernel/softirq.c:273 [] invoke_softirq kernel/softirq.c:350 [inline] [] irq_exit+0x216/0x2c0 kernel/softirq.c:391 [] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926 [] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735 [] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52 [] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline] [] default_idle+0x27/0x430 arch/x86/kernel/process.c:446 [] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437 [] default_idle_call+0x53/0x90 kernel/sched/idle.c:92 [] cpuidle_idle_call kernel/sched/idle.c:156 [inline] [] cpu_idle_loop kernel/sched/idle.c:251 [inline] [] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299 [] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245 The issue is triggered as this: xfrm_add_policy -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX //In my case, the index is 0x6E6BB6, so it pass the check. -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer -->xfrm_policy_insert --> __xfrm_policy_link //use the orgin dir, in my case is 2 --> xfrm_gen_index //generate policy index, there is 0x6E6BB6 then xfrm_policy_timer be fired xfrm_policy_timer --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6 --> xfrm_policy_delete --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is valid, to fix the issue. Reported-by: Hulk Robot Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user") Signed-off-by: YueHaibing Acked-by: Herbert Xu Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 9ff9255d2191b..919b8406028cc 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1381,7 +1381,7 @@ static int verify_newpolicy_info(struct xfrm_userpolicy_info *p) ret = verify_policy_dir(p->dir); if (ret) return ret; - if (p->index && ((p->index & XFRM_POLICY_MAX) != p->dir)) + if (p->index && (xfrm_policy_id2dir(p->index) != p->dir)) return -EINVAL; return 0; -- 2.20.1