Received: by 2002:a25:e74b:0:0:0:0:0 with SMTP id e72csp401835ybh; Wed, 22 Jul 2020 03:37:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyDxtZLimCsQ8RfasCWpCwXSp2+S23LXqAVPa1l3Lu3lu2GEP6uN4chLWiNzBTD0MduHeyY X-Received: by 2002:a50:d09c:: with SMTP id v28mr30264303edd.58.1595414279728; Wed, 22 Jul 2020 03:37:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1595414279; cv=none; d=google.com; s=arc-20160816; b=EZmbDkzbeHQzltyOj0BrCu/rQtx1ntt5M6h7XBX0qMGGdHp5igzBkur7PwDMReNt52 InEbYjsTFX96dCpZNrrk9aWkLtWjBlXRby6ywX97V7oXbqLiZUdBbvexKQYhGQgiTZFU wBBTtcQpoPpLhVt4kMhudfFQQrd4uUAk/7tK/wvnuf+bPiD9+VusDB8OQMuBQBsD1Jh5 6aGG4olZOeFd12g40xc7FSBc3OP5LkJyiia1f6Yr2f1Wr3FX1Tpt9CjlvWYX/gekD7SH sbmy+YfZx/kqB9Fd2w6sN4jg/D6JbS2qlbTzuXEvl9xAvabyaGJKIRbgatOxoboG6C/w WY2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=GZY58R+IR+/HbtBX8/35lrx+qiW5NmZqyr6F4tcwZy4=; b=0aRf1oUo5h4rXuz76rOq0Wz2A1KIM3LamdTGY+VIFevg4iRp3cQIpyy6jl4Pv9awxK lqC71fo81d0MZG+y04KUqoqS0E0Preq4yvI7v8IXArjh/Qbq+uyHODMqglTO+4adIm+e hnGdicvJHiXZmErbvvzODc2hPgRDAj6OxbeSADhlXclzFanUWrAf6SzRlmlxZj01yC37 lgXFoVYtZ0lUhwlbX0dkaDJl8X+sSMEi00AGaobMteri0MxY963/T30zK2SjuiNIpFas hZZqhpIMkagP9m3DtYeBKLz04xaY3bYkkQC+mN1DAP/6c2tNgfHQkiU5PXUjEB+92FoX iNSQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n3si15103376eji.720.2020.07.22.03.37.37; Wed, 22 Jul 2020 03:37:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730494AbgGVKhF (ORCPT + 99 others); Wed, 22 Jul 2020 06:37:05 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:40910 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726153AbgGVKhE (ORCPT ); Wed, 22 Jul 2020 06:37:04 -0400 Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 161552018D; Wed, 22 Jul 2020 12:37:02 +0200 (CEST) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AZz90R83hv-J; Wed, 22 Jul 2020 12:37:01 +0200 (CEST) Received: from mail-essen-01.secunet.de (mail-essen-01.secunet.de [10.53.40.204]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 9E18C20185; Wed, 22 Jul 2020 12:37:01 +0200 (CEST) Received: from mbx-essen-01.secunet.de (10.53.40.197) by mail-essen-01.secunet.de (10.53.40.204) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 22 Jul 2020 12:37:01 +0200 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 22 Jul 2020 12:37:01 +0200 Received: by gauss2.secunet.de (Postfix, from userid 1000) id D2240318471A; Wed, 22 Jul 2020 12:37:00 +0200 (CEST) Date: Wed, 22 Jul 2020 12:37:00 +0200 From: Steffen Klassert To: Mark Salyzyn CC: , , , Herbert Xu , "David S. Miller" , Jakub Kicinski Subject: Re: af_key: pfkey_dump needs parameter validation Message-ID: <20200722103700.GP20687@gauss3.secunet.de> References: <20200721132358.966099-1-salyzyn@android.com> <20200722093318.GO20687@gauss3.secunet.de> <2ae16588-2972-a797-9310-4f9d56b7348b@android.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <2ae16588-2972-a797-9310-4f9d56b7348b@android.com> User-Agent: Mutt/1.9.4 (2018-02-28) X-ClientProxiedBy: cas-essen-01.secunet.de (10.53.40.201) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 22, 2020 at 03:20:59AM -0700, Mark Salyzyn wrote: > On 7/22/20 2:33 AM, Steffen Klassert wrote: > > On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote: > > > In pfkey_dump() dplen and splen can both be specified to access the > > > xfrm_address_t structure out of bounds in__xfrm_state_filter_match() > > > when it calls addr_match() with the indexes. Return EINVAL if either > > > are out of range. > > > > > > Signed-off-by: Mark Salyzyn > > > Cc: netdev@vger.kernel.org > > > Cc: linux-kernel@vger.kernel.org > > > Cc: kernel-team@android.com > > > --- > > > Should be back ported to the stable queues because this is a out of > > > bounds access. > > Please do a v2 and add a proper 'Fixes' tag if this is a fix that > > needs to be backported. > > > > Thanks! > > Confused because this code was never right? From 2008 there was a rewrite > that instantiated this fragment of code so that it could handle > continuations for overloaded receive queues, but it was not right before the > adjustment. > > Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP > entries non-atomically") > > that is reaching back more than 12 years and the blame is poorly aimed > AFAIK. This is just that the stable team knows how far they need to backport it. If this was never right, then the initial git commit is the right one for the fixes tag e.g. 'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")'