Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp836976pja; Wed, 1 Apr 2020 09:35:29 -0700 (PDT) X-Google-Smtp-Source: APiQypITqXEBqBBBu0ZJku57kRVvHDQBpNExFJwPUxenY5Y+YsMbE/VYgax7tGTKdQLOoqe6k3Nc X-Received: by 2002:aca:bac1:: with SMTP id k184mr3507949oif.157.1585758929600; Wed, 01 Apr 2020 09:35:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585758929; cv=none; d=google.com; s=arc-20160816; b=mzezOw+486sWK1s8Subdbme6Gqn26uEdFifU4yJSyR4MbnQTM4hN+k4JtqL9r2VoTi fkwufaFL7Jq8vIVD7hCLwZ/a/WIqcajTlAdI8MA312g3P6n7U/Jo5vQFVGwEWWVoV1+i hRiUxVrVKG9Iq7guWTrcDDFTBIKi9vg1FOlfWXbCLs6Vri6h23hjhhqc2ZxBGe554rmb 3fKCpxestF/sTnETZZ6qJHD5u9j1OD+p2pJCyagn8CGUbtXNiVupOgoTM+m1X1p2Ao/Z syBSq19Gx9Aq+tHDbszuTBlpFNHYxJJ3zmVJK3zDdkh8gWfy1KuCN63XoAPiqQpYLYij iRqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=9ScvJRTsJ937c9mUpWo1Jfpa3HrvjVJzX6PsorPNLzA=; b=uJ9BYSM3uqFfy4aVJXK72y1PsBTsDmNaWv8l1LP2Zb3uSH/e4YMzcSpzhvW+iMkI+q ETYwSSDqHFVBsB+RTkCJ6+0V0PG6Br2AuU0xAGeSNFOf61NinEwMf3ky/mrZdoAXBa8g d7r1hpSLAgqg34zJ11RGNU7zun9n0JXgq94SK0AhgCAIWvwY9KNjEd46LkSRDWkieXLx NY56VGp66hzN+ICojdtaKdSh+W9i2aCfVVVpdbfWFGPGQOFCs3zrKEvnEyJyh71I2VQl 3lmk2otUHvPALX53Y1dobTG4VOZwGrmU3l8k1QrUZIO3aRxSc10VHBkjvlBfyj4XF8k5 6J2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MG0ocWR7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 192si1085521oii.36.2020.04.01.09.35.16; Wed, 01 Apr 2020 09:35:29 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MG0ocWR7; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387983AbgDAQdy (ORCPT + 99 others); Wed, 1 Apr 2020 12:33:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:60482 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388595AbgDAQdx (ORCPT ); Wed, 1 Apr 2020 12:33:53 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 46515214D8; Wed, 1 Apr 2020 16:33:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1585758832; bh=tmjogg9yI+Opax21DufBCCunzR9HJWzo5dAUBKQVx3A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MG0ocWR7Mm9WCIWajE7sug4Mu/d+Vo4lkZZyIaoqU5IqWrE0u0KMRl+WPkup3sxNY HUROa/ZHErGOi5LVPIK3jlOGFGbwCXS3MBYIwmyyONz9w33fS5lhOo2By+YCyRAVx8 T+q+WJ7PPX4K2juoL0aiuUYrV/O7B7/YOVkr+Hlw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Xin Long , Steffen Klassert Subject: [PATCH 4.4 62/91] xfrm: fix uctx len check in verify_sec_ctx_len Date: Wed, 1 Apr 2020 18:17:58 +0200 Message-Id: <20200401161534.360943180@linuxfoundation.org> X-Mailer: git-send-email 2.26.0 In-Reply-To: <20200401161512.917494101@linuxfoundation.org> References: <20200401161512.917494101@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream. It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt), in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str later. This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt). Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.") Signed-off-by: Xin Long Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/xfrm/xfrm_user.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(str return 0; uctx = nla_data(rt); - if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) + if (uctx->len > nla_len(rt) || + uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len)) return -EINVAL; return 0;