Received: by 2002:a17:90a:1609:0:0:0:0 with SMTP id n9csp840942pja;
        Wed, 1 Apr 2020 09:39:38 -0700 (PDT)
X-Google-Smtp-Source: APiQypK8UePny4Fkvbh1Sp+8w26V8KaIwaszUJK4Un+mdMXNmhgRTwIP3bY9FmP0ek+ExjGlk2Nn
X-Received: by 2002:aca:c596:: with SMTP id v144mr3536359oif.136.1585759178670;
        Wed, 01 Apr 2020 09:39:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585759178; cv=none;
        d=google.com; s=arc-20160816;
        b=iStZZ5CqwN94aQvo/e09Vz5kUhHhoXsP3LZBML9kMMEtFdGLxqfl0iik4+ndBR+UYx
         t71ZuHn/u5i9/Oa3BCHlAj4N7/9e095UJR1a7fXum7N1YwUBf9IUgbr6UiEyk+RfJi4p
         xjAtXi7F6AkOpjhsYhyNxgm4IYHAjQdf4cnFn/hr9bK+9ZJh5SVZqnrMawIbLiiD3YZT
         Oo+gMafAfIZMgVG6UvuFp6S4es2oz/WcFFFD8z72/Dkbw5HLYCT169aGrBesxvqywQ9z
         Xs7eIPZPCMrIKzLG0TWcCbCREsaNgYgiI8AfVK83Wu78gSEVWjHcu0K3H3THyEOPSTmZ
         K1rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=9ScvJRTsJ937c9mUpWo1Jfpa3HrvjVJzX6PsorPNLzA=;
        b=Jd5BTt2qlpLV9St7OvXHyId/cQKYItRvBFGlJUlAcHlXt9N497OGDfWFqdGYpXogUq
         2kE4WpfDnqvKOYspoMmoCRXSnbmTvFhJPRvhI3VnKayVz7hgyRlvgX0CwwQgY53b2a4c
         8rZUCNxyDSKAQqRKA6orQFVE5zGY6yIsI8eIRd70UbSPJnNADs9iXgOqe4DxsSlN+4L3
         zBYDZwbW22+nWzKbYH5v5UhZHOg5u3rPjYHB7gN1kYKy3iMS02IJbi826UtqfQDFtbQ5
         NXuTz0JT8Dg8bM3575gKTFA3hm+XDtRs9XfaXR7k6muYkYWjgh60NgIgOGBhVTaNi8PG
         6R0w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=GqoPXYLu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w8si898570otg.26.2020.04.01.09.39.24;
        Wed, 01 Apr 2020 09:39:38 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=GqoPXYLu;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2389020AbgDAQhu (ORCPT <rfc822;jaegeuk-test@gmail.com>
        + 99 others); Wed, 1 Apr 2020 12:37:50 -0400
Received: from mail.kernel.org ([198.145.29.99]:37060 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S2389009AbgDAQhq (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 1 Apr 2020 12:37:46 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 7D2A1212CC;
        Wed,  1 Apr 2020 16:37:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1585759066;
        bh=tmjogg9yI+Opax21DufBCCunzR9HJWzo5dAUBKQVx3A=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=GqoPXYLutnEx4H+3tTW7sm6Tvn5+/T6iuvKZMcgNdGnOe0Q+K+nPtOCMMoNLim2EX
         1FeMBK1b1OgAh1JxqOfkeXOQ8nNNgoeB13EBRoYjWlE9Busb3WKtoDsNPo6cmL3Vn+
         mbCymu5aYos0mChyS2MVLEoUxwUtFhhO/YJQHKLE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Xin Long <lucien.xin@gmail.com>,
        Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 4.9 066/102] xfrm: fix uctx len check in verify_sec_ctx_len
Date:   Wed,  1 Apr 2020 18:18:09 +0200
Message-Id: <20200401161543.863244296@linuxfoundation.org>
X-Mailer: git-send-email 2.26.0
In-Reply-To: <20200401161530.451355388@linuxfoundation.org>
References: <20200401161530.451355388@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Xin Long <lucien.xin@gmail.com>

commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.

It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.

This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/xfrm/xfrm_user.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -109,7 +109,8 @@ static inline int verify_sec_ctx_len(str
 		return 0;
 
 	uctx = nla_data(rt);
-	if (uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
+	if (uctx->len > nla_len(rt) ||
+	    uctx->len != (sizeof(struct xfrm_user_sec_ctx) + uctx->ctx_len))
 		return -EINVAL;
 
 	return 0;