Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2921347ybi; Sun, 28 Jul 2019 21:04:28 -0700 (PDT) X-Google-Smtp-Source: APXvYqx1nTwzMGuCJUZ0WXiuf5SZG+ThWDWJEBQcgx1E1dDNVyAWaRnN8T2usD+/voJ7WjgC6arj X-Received: by 2002:aa7:9407:: with SMTP id x7mr35684937pfo.163.1564373068675; Sun, 28 Jul 2019 21:04:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564373068; cv=none; d=google.com; s=arc-20160816; b=zBREd1+4FoG/YaO1XORgBQIsvG5ZRDxfKfmeQ8eBPlccGw+ef+GlWooPJuSW6jT26c bgm7Idv+ArVoYAm+I12mMDLt8v7rdxY61Pxhx2Rg8QAnemra7MhAv15hQHa7687sUIuT 6Bd842patvNyA28lAeR8fIquDRxh6H1WQIB0irI7OELRZOVyaD/yWHebcPLTDMX4A575 c2JZEgNf8pTSAf0n0wa+isFYM6fAogtJP/GjbyUKDO6YqjUWLiMZz+jQOhw0OlXKbhQh UyBN5Dc/vF/15nNpg/7nZc+5eTD2XN1/ofQiaNNwJubBIpjj255/P7L7vrr5Q5N1zjHu zefg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:mime-version:user-agent:date:message-id :cc:to:subject:from:dkim-signature; bh=spXdUxCtUWc6Ma6GamSGGP+kblTO8jCHKcnziir+xwI=; b=Tjx5wngb3PbUUilUo4hlvXn5sTgJR8L+gUGYZfXGK/P0uBtq0/+mHiZfn/EdGnAM3x eDb2tIHuowz7YgSMxDBAaHI/Qmrl6/iPzT7XCSvU+PKI+6g7cYAK/5PY2c3JpOd/jj8W QlsZOnXJa6wEPEJEZfcVC+T0BEdQQRZTwnJ1Ow73wSG9Zrx0k9v8xsYD048eVh9QyypT t3bf5m5Ml8/vPurXzT2W0FXU7WAHeveb9M6wNMQwfVPRAPohovsrZctP4+igIwxVzcN4 MDpX2CJUzIYD40uXsbFkIvxPWK502tVufNjRGDlsYF6ZwQmTJCO1moEbDlMrTtRUxdIr wgcw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LF54msqU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k13si281201pgt.285.2019.07.28.21.04.13; Sun, 28 Jul 2019 21:04:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LF54msqU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726689AbfG2Dnu (ORCPT + 99 others); Sun, 28 Jul 2019 23:43:50 -0400 Received: from mail-pg1-f173.google.com ([209.85.215.173]:35025 "EHLO mail-pg1-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726436AbfG2Dnu (ORCPT ); Sun, 28 Jul 2019 23:43:50 -0400 Received: by mail-pg1-f173.google.com with SMTP id s1so21189376pgr.2; Sun, 28 Jul 2019 20:43:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:cc:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=spXdUxCtUWc6Ma6GamSGGP+kblTO8jCHKcnziir+xwI=; b=LF54msqUrTQ7In+GCGa7hpXWB4JwdMUtCEeLkeQnxQ6al6Zn/OZf77ZMA7FU8R4buS monkN3tK+oRGltp9lty9LTmyp/924vYZTTZI8iwl7FwNvO/9jrkuZb1t1V4HSpkm3Qqe ZrN27omLaXYwjU/43uBnwoOHDBuIY/qZaxtoe97tFLJRELsE6+DX/zahGpzHb6qLMvnM 4uURCx/oaMQBVfR1LB+jabtJfCzhxHOICsDaaJzaThUSEEMIx42kND93NW/XGGJkJIZw rkAt6+Y3ax3zx0r0Ed1Lt5kOjWxe/ERPgV/cMPvZPxDvNpYHB7VlgtV2kUFK8KXktsOK BM3w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:cc:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=spXdUxCtUWc6Ma6GamSGGP+kblTO8jCHKcnziir+xwI=; b=KgwYlm+8TyXkx/t1FakPCF4TNexxwVPXfehdmob3Xr8rGPBzKUzXeCUO6LVb9xGQcA Umhf9HAjCInzKef63ZChjOskCJ/aHpx5OKPRlU2uN8gUFfHph/3bLQmbjUqmvY5i5P7Y lGGhCmvRlDm7aseI9dqSDaKxjRC5EZhXqwQ7yQMrN60aNztgSvQK05f18r/xqTRG8f48 +QqMaK6ip11DxlrdjofAOb6M2Run6lsKN7Wx1X9whf9mdhCGTNsGyi/BtqBgx1sleDkM L7LC1RJKHxudBMc8nuYT4mwRLTiWTOq9pGR7BQCtRZHKBOUvDh2RiNP1r26wkl9HP7jP QTFQ== X-Gm-Message-State: APjAAAXPGFF37oz5e1rIzxcH2xjQXEiYi+gbVtEkEG7c1zF4brBk4VWp hmMeQ+mfuDqgihpb0AJMX5JoENMV X-Received: by 2002:a62:38c6:: with SMTP id f189mr34469301pfa.157.1564371829529; Sun, 28 Jul 2019 20:43:49 -0700 (PDT) Received: from ?IPv6:2402:f000:4:72:808::177e? ([2402:f000:4:72:808::177e]) by smtp.gmail.com with ESMTPSA id a12sm100261192pje.3.2019.07.28.20.43.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Jul 2019 20:43:49 -0700 (PDT) From: Jia-Ju Bai Subject: [BUG] net: xfrm: possible null-pointer dereferences in xfrm_policy() To: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org Message-ID: <464bb93d-75b2-c21b-ee32-25a10ff61622@gmail.com> Date: Mon, 29 Jul 2019 11:43:49 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org In xfrm_policy(), the while loop on lines 3802-3830 ends when dst->xfrm is NULL. Then, dst->xfrm is used on line 3840:     xfrm_state_mtu(dst->xfrm, mtu);         if (x->km.state != XFRM_STATE_VALID...)         aead = x->data; Thus, possible null-pointer dereferences may occur. These bugs are found by a static analysis tool STCheck written by us. I do not know how to correctly fix these bugs, so I only report them. Best wishes, Jia-Ju Bai