Received: by 2002:a17:90b:8d0:0:0:0:0 with SMTP id ds16csp392228pjb; Wed, 22 Jul 2020 02:36:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzTgj7xeUzw4On3XB+VzMCblYD6tgLOeXw0Yn7KmnaRwe1fk0o0VSv68Y2/q/IjPeQvlbmZ X-Received: by 2002:a17:906:40cb:: with SMTP id a11mr210608ejk.340.1595410574603; Wed, 22 Jul 2020 02:36:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595410574; cv=none; d=google.com; s=arc-20160816; b=akLgYjDKjI3mMSielWrfa2ZVUUK2dnEwvo1F4b3LgMx/wk73zYnT2z9lnZj0P3yEPE gzOUCBDd3vf6k1VYJOHw3CzbqFOSU5beUgqXA/yREkX7vhdXQj3Z75ETJ7wi0AW7q3aw 5df5sSi6S54DD61807dwxgTZpr+UqRcBexR6wkNUQgTLY/dZfmz2T2jOP1Sg2Asp5Wie lk4PLBUbTBWrVUzGq/AfIcPasg7FYnevV2XrLD6TVynouAkoq2W9Hl5+Ee3iKAWp6t/x ZQUkOcYiPKP2uQbxM3/NSilhhvXYJcd47EIjFQQFFJy7x5YGC1FvzFP2j1qcostfVFeq XNXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=A92hSv19CvSAexzHPt7kKc2TADONP7v5I82fG6vCvdw=; b=OuOBTqnv/W6iTQXtzy3hem64h83aQ8GzV1bRRBLxFhTPs7sB9XrJQjCNeWCHIqLyY+ AsKGmMQ/0fdOSIlQZ1bQ/0v2WxZdRtkGwPXCZ2YUDMqxZffAPQGO4YSXnBu5WLWrPlvt fTiMQjWpcKRDKNfy5fcEYZP0SQ1UwApT8GuioOfg5xNCDHwpGeQRgN+e9f1Bp1DMTdqf yineh1a6g1Bo62z65O1QDkDCEHgbi6c8oE/BtRUHR+fslg8eEf+SL+NSVRkMEkzZzr9s dCN9dxPGCcV8cgbuHCcIkuNar6Ld31XYb8/ZcnLTbw9J/YhbNt+EsTlyy6DVLk68wp6b JE5w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t24si13956000ejr.733.2020.07.22.02.35.52; Wed, 22 Jul 2020 02:36:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731442AbgGVJdX (ORCPT + 99 others); Wed, 22 Jul 2020 05:33:23 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:37948 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727819AbgGVJdX (ORCPT ); Wed, 22 Jul 2020 05:33:23 -0400 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id DDBD22006F; Wed, 22 Jul 2020 11:33:20 +0200 (CEST) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oM9Uz6WjvfQF; Wed, 22 Jul 2020 11:33:19 +0200 (CEST) Received: from cas-essen-01.secunet.de (201.40.53.10.in-addr.arpa [10.53.40.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id A39BB20068; Wed, 22 Jul 2020 11:33:19 +0200 (CEST) Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-01.secunet.de (10.53.40.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 22 Jul 2020 11:33:19 +0200 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 22 Jul 2020 11:33:19 +0200 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 09C0C318471A; Wed, 22 Jul 2020 11:33:19 +0200 (CEST) Date: Wed, 22 Jul 2020 11:33:18 +0200 From: Steffen Klassert To: Mark Salyzyn CC: , , , Herbert Xu , "David S. Miller" , Jakub Kicinski Subject: Re: af_key: pfkey_dump needs parameter validation Message-ID: <20200722093318.GO20687@gauss3.secunet.de> References: <20200721132358.966099-1-salyzyn@android.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20200721132358.966099-1-salyzyn@android.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote: > In pfkey_dump() dplen and splen can both be specified to access the > xfrm_address_t structure out of bounds in__xfrm_state_filter_match() > when it calls addr_match() with the indexes. Return EINVAL if either > are out of range. > > Signed-off-by: Mark Salyzyn > Cc: netdev@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > --- > Should be back ported to the stable queues because this is a out of > bounds access. Please do a v2 and add a proper 'Fixes' tag if this is a fix that needs to be backported. Thanks!