Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp832219pxk;
        Thu, 24 Sep 2020 21:44:36 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwQnZ5t7meTiAdLzw2RarS9rQyE00xmpb+JlyHaYzlxcQGwC/lKerEc//dBocQPTzhY+UWk
X-Received: by 2002:a17:906:e4f:: with SMTP id q15mr971212eji.155.1601009076453;
        Thu, 24 Sep 2020 21:44:36 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1601009076; cv=none;
        d=google.com; s=arc-20160816;
        b=gMle/yoaxHMdt9YbZ4K0k7K1YGXnTvxWzPI2vj8v3K3Acv6ny42olrXB92BkPTGi2z
         aJPLwbAveiHt7y7hjRaXjClMxLYYr9OH1FIWvYrHEgpuui3sDwqCH+4hJwbIYI35+M/M
         fIvAYYfITLwtLOdHL7PeSeQhYw5tu9jFmaaxdIaZdpwXpAcaPG5JdBE8Z4DnhfvLAc53
         YsqzgSJDMjl0LYYlTvKIP0qrL1PJcg5NKXXnsb+onjbsj5be1cgOwCVGmwZHgfMmpV9y
         eGhCPfFiI10JLAtIOHqmgS6w00r6+14klG8jOJ3Zb3GOGulWCmkgwjjq33vLz6bJn4m8
         s4mg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:user-agent:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=sp/LQoX+DVetfudzcdM6adhXaqfD7muYjbkFMdqtRkA=;
        b=KlLhriZ3leaOKW8o9KnrkiybxYVH89HxEGeo8pjBnZ+rOdg5fdqTGkQENqaNZ+c5/S
         RFD9B55QQufj7U3sI9Rsmk2EECSXdZBS5Ksw23ks7bpEHXAJC2xWRXQpGWru/m6eGB/u
         DffunX7A2oHMa3R1IBdrE+NRVYH1BaknkEFIyttWqgx/jkKHHQJmThjRfbEyQHq0cbpt
         s+KzcxFPunWeayiLBPhdaNW8D/3wYBTQku0rx6a6PZwN5YEEvhG0UPz86/ugKMV/1Hbt
         SJAgen9orTVOROTkJQh8klv2RBO+1vrsT3+R9J3D+TLyhYF1QUF2flbnvVtIXcxChxEH
         o6gQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id nu23si1042502ejb.577.2020.09.24.21.44.12;
        Thu, 24 Sep 2020 21:44:36 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727068AbgIYEnR (ORCPT <rfc822;deadfox.tw@gmail.com>
        + 99 others); Fri, 25 Sep 2020 00:43:17 -0400
Received: from helcar.hmeau.com ([216.24.177.18]:52492 "EHLO fornost.hmeau.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726738AbgIYEnR (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 25 Sep 2020 00:43:17 -0400
Received: from gwarestrin.arnor.me.apana.org.au ([192.168.0.7])
        by fornost.hmeau.com with smtp (Exim 4.92 #5 (Debian))
        id 1kLfZQ-0003Uw-Ce; Fri, 25 Sep 2020 14:42:57 +1000
Received: by gwarestrin.arnor.me.apana.org.au (sSMTP sendmail emulation); Fri, 25 Sep 2020 14:42:56 +1000
Date:   Fri, 25 Sep 2020 14:42:56 +1000
From:   Herbert Xu <herbert@gondor.apana.org.au>
To:     syzbot <syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com>
Cc:     davem@davemloft.net, kuba@kernel.org, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org, steffen.klassert@secunet.com,
        syzkaller-bugs@googlegroups.com, James Morris <jmorris@namei.org>,
        "Serge E. Hallyn" <serge@hallyn.com>,
        linux-security-module@vger.kernel.org
Subject: [PATCH] xfrm: Use correct address family in xfrm_state_find
Message-ID: <20200925044256.GA18246@gondor.apana.org.au>
References: <0000000000009fc91605afd40d89@google.com>
 <20200925030759.GA17939@gondor.apana.org.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200925030759.GA17939@gondor.apana.org.au>
User-Agent: Mutt/1.10.1 (2018-07-13)
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Resend with proper subject.
 
---8<---
The struct flowi must never be interpreted by itself as its size
depends on the address family.  Therefore it must always be grouped
with its original family value.

In this particular instance, the original family value is lost in
the function xfrm_state_find.  Therefore we get a bogus read when
it's coupled with the wrong family which would occur with inter-
family xfrm states.

This patch fixes it by keeping the original family value.

Note that the same bug could potentially occur in LSM through
the xfrm_state_pol_flow_match hook.  I checked the current code
there and it seems to be safe for now as only secid is used which
is part of struct flowi_common.  But that API should be changed
so that so that we don't get new bugs in the future.  We could
do that by replacing fl with just secid or adding a family field.

Reported-by: syzbot+577fbac3145a6eb2e7a5@syzkaller.appspotmail.com
Fixes: 48b8d78315bf ("[XFRM]: State selection update to use inner...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 69520ad3d83b..9b5f2c2b9770 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -1019,7 +1019,8 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
 	 */
 	if (x->km.state == XFRM_STATE_VALID) {
 		if ((x->sel.family &&
-		     !xfrm_selector_match(&x->sel, fl, x->sel.family)) ||
+		     (x->sel.family != family ||
+		      !xfrm_selector_match(&x->sel, fl, family))) ||
 		    !security_xfrm_state_pol_flow_match(x, pol, fl))
 			return;
 
@@ -1032,7 +1033,9 @@ static void xfrm_state_look_at(struct xfrm_policy *pol, struct xfrm_state *x,
 		*acq_in_progress = 1;
 	} else if (x->km.state == XFRM_STATE_ERROR ||
 		   x->km.state == XFRM_STATE_EXPIRED) {
-		if (xfrm_selector_match(&x->sel, fl, x->sel.family) &&
+		if ((!x->sel.family ||
+		     (x->sel.family == family &&
+		      xfrm_selector_match(&x->sel, fl, family))) &&
 		    security_xfrm_state_pol_flow_match(x, pol, fl))
 			*error = -ESRCH;
 	}
@@ -1072,7 +1075,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
 		    tmpl->mode == x->props.mode &&
 		    tmpl->id.proto == x->id.proto &&
 		    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
-			xfrm_state_look_at(pol, x, fl, encap_family,
+			xfrm_state_look_at(pol, x, fl, family,
 					   &best, &acquire_in_progress, &error);
 	}
 	if (best || acquire_in_progress)
@@ -1089,7 +1092,7 @@ xfrm_state_find(const xfrm_address_t *daddr, const xfrm_address_t *saddr,
 		    tmpl->mode == x->props.mode &&
 		    tmpl->id.proto == x->id.proto &&
 		    (tmpl->id.spi == x->id.spi || !tmpl->id.spi))
-			xfrm_state_look_at(pol, x, fl, encap_family,
+			xfrm_state_look_at(pol, x, fl, family,
 					   &best, &acquire_in_progress, &error);
 	}
 
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt