Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp832219pxk; Thu, 24 Sep 2020 21:44:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQnZ5t7meTiAdLzw2RarS9rQyE00xmpb+JlyHaYzlxcQGwC/lKerEc//dBocQPTzhY+UWk X-Received: by 2002:a17:906:e4f:: with SMTP id q15mr971212eji.155.1601009076453; Thu, 24 Sep 2020 21:44:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1601009076; cv=none; d=google.com; s=arc-20160816; b=gMle/yoaxHMdt9YbZ4K0k7K1YGXnTvxWzPI2vj8v3K3Acv6ny42olrXB92BkPTGi2z aJPLwbAveiHt7y7hjRaXjClMxLYYr9OH1FIWvYrHEgpuui3sDwqCH+4hJwbIYI35+M/M fIvAYYfITLwtLOdHL7PeSeQhYw5tu9jFmaaxdIaZdpwXpAcaPG5JdBE8Z4DnhfvLAc53 YsqzgSJDMjl0LYYlTvKIP0qrL1PJcg5NKXXnsb+onjbsj5be1cgOwCVGmwZHgfMmpV9y eGhCPfFiI10JLAtIOHqmgS6w00r6+14klG8jOJ3Zb3GOGulWCmkgwjjq33vLz6bJn4m8 s4mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=sp/LQoX+DVetfudzcdM6adhXaqfD7muYjbkFMdqtRkA=; b=KlLhriZ3leaOKW8o9KnrkiybxYVH89HxEGeo8pjBnZ+rOdg5fdqTGkQENqaNZ+c5/S RFD9B55QQufj7U3sI9Rsmk2EECSXdZBS5Ksw23ks7bpEHXAJC2xWRXQpGWru/m6eGB/u DffunX7A2oHMa3R1IBdrE+NRVYH1BaknkEFIyttWqgx/jkKHHQJmThjRfbEyQHq0cbpt s+KzcxFPunWeayiLBPhdaNW8D/3wYBTQku0rx6a6PZwN5YEEvhG0UPz86/ugKMV/1Hbt SJAgen9orTVOROTkJQh8klv2RBO+1vrsT3+R9J3D+TLyhYF1QUF2flbnvVtIXcxChxEH o6gQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id nu23si1042502ejb.577.2020.09.24.21.44.12; Thu, 24 Sep 2020 21:44:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727068AbgIYEnR (ORCPT + 99 others); Fri, 25 Sep 2020 00:43:17 -0400 Received: from helcar.hmeau.com ([216.24.177.18]:52492 "EHLO fornost.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726738AbgIYEnR (ORCPT ); Fri, 25 Sep 2020 00:43:17 -0400 Received: from gwarestrin.arnor.me.apana.org.au ([192.168.0.7]) by fornost.hmeau.com with smtp (Exim 4.92 #5 (Debian)) id 1kLfZQ-0003Uw-Ce; Fri, 25 Sep 2020 14:42:57 +1000 Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Fri, 25 Sep 2020 14:42:56 +1000 Date: Fri, 25 Sep 2020 14:42:56 +1000 From: Herbert Xu To: syzbot Cc: davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, steffen.klassert@secunet.com, syzkaller-bugs@googlegroups.com, James Morris , "Serge E. Hallyn" , linux-security-module@vger.kernel.org Subject: [PATCH] xfrm: Use correct address family in xfrm_state_find Message-ID: <20200925044256.GA18246@gondor.apana.org.au> References: <0000000000009fc91605afd40d89@google.com> <20200925030759.GA17939@gondor.apana.org.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200925030759.GA17939@gondor.apana.org.au> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Resend with proper subject. ---8<--- The struct flowi must never be interpreted by itself as its size depends on the address family. Therefore it must always be grouped with its original family value. In this particular instance, the original family value is lost in the function xfrm_state_find. Therefore we get a bogus read when it's coupled with the wrong family which would occur with inter- family xfrm states. This patch fixes it by keeping the original family value. Note that the same bug could potentially occur in LSM through the xfrm_state_pol_flow_match hook. I checked the current code there and it seems to be safe for now as only secid is used which is part of struct flowi_common. But that API should be changed so that so that we don't get new bugs in the future. We could do that by replacing fl with just secid or adding a family field. Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...") Signed-off-by: Herbert Xu diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c index 69520ad3d83b..9b5f2c2b9770 100644 --- a/net/xfrm/xfrm_state.c +++ b/net/xfrm/xfrm_state.c @@ -1019,7 +1019,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, */ if (x->km.state == XFRM_STATE_VALID) { if ((x->sel.family && - !xfrm_selector_match(&x->sel, fl, x->sel.family)) || + (x->sel.family != family || + !xfrm_selector_match(&x->sel, fl, family))) || !security_xfrm_state_pol_flow_match(x, pol, fl)) return; @@ -1032,7 +1033,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x, *acq_in_progress = 1; } else if (x->km.state == XFRM_STATE_ERROR || x->km.state == XFRM_STATE_EXPIRED) { - if (xfrm_selector_match(&x->sel, fl, x->sel.family) && + if ((!x->sel.family || + (x->sel.family == family && + xfrm_selector_match(&x->sel, fl, family))) && security_xfrm_state_pol_flow_match(x, pol, fl)) *error = -ESRCH; } @@ -1072,7 +1075,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, tmpl->mode == x->props.mode && tmpl->id.proto == x->id.proto && (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) - xfrm_state_look_at(pol, x, fl, encap_family, + xfrm_state_look_at(pol, x, fl, family, &best, &acquire_in_progress, &error); } if (best || acquire_in_progress) @@ -1089,7 +1092,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr, tmpl->mode == x->props.mode && tmpl->id.proto == x->id.proto && (tmpl->id.spi == x->id.spi || !tmpl->id.spi)) - xfrm_state_look_at(pol, x, fl, encap_family, + xfrm_state_look_at(pol, x, fl, family, &best, &acquire_in_progress, &error); } -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt