Received: by 2002:a05:6a10:eb17:0:0:0:0 with SMTP id hx23csp1307932pxb; Fri, 10 Sep 2021 03:02:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzkobns11I0zFmtmONkCKYdf79dref07PLnADN4v9M8TzUS9UXpm9qX2Ng1yqmYUhOnS2gF X-Received: by 2002:a92:da0c:: with SMTP id z12mr4333583ilm.120.1631268124127; Fri, 10 Sep 2021 03:02:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1631268124; cv=none; d=google.com; s=arc-20160816; b=IG+PQP29tQ34fLZykvgtmogptSOyx2PTwzgkV0pgBBal+UXWiejJA/324OoDdf32ih VXntwYo9897KahsZEoDk9n+d9LnbV/GTzmh97iR71/VDiPJz4OVrjYQCJdscP7/DyGZq Btel0VZWVUibhCpy4ikBqN+SEeXDsXvKH7YBZ/gmduT5uoarBC1FQn3liRBjanj6WAg5 4y5hZnpojWvIKI+1LQ8JphYYBmB5u2gd1gRJFf6Pe4PWguHsgdxrLKOH2NQKLUKrO7m0 8aCFj2fWPpbRaGezMJCWWZ7dItZRwWYE+HXG+j8y38c0itIWIwP6CPvkccM9V6DPl0qT C1XQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=962EgfPpXGqvzUSLcuBJSqheCXe+7PQO6s3p468bLxM=; b=Lc4oBAI5sUS/7UbPrpUD7kP8R+dnBPheEvcnzADlVl6psMDRixfMEqKFfF3NqLFO4x 4fT3RAfV6ChLM4Yslz15HmQDRdKXgEVwNXEdfEtCvuWfdqhpvWGpDY6F/9YHlUhuee+a Gst3GZDTxtRTPPlSekFlMJaOgq1XR42h8zmadbSlCoUjOEAf1ymToliPgKPWcZCPdwUf SVwcllYM/RpQ5/nToRXpVdgNqTJF+YCu2GVysf1SbuFCsSJrZju4HFVRuOUNM/xhhFo8 UrHobxVQW1YQRGBaKuYxzBcpNzYllpqux5NUlFKK6wRBKD/On/xd9pPn0k577NZFnsN1 PNgg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si4796688jad.70.2021.09.10.03.01.50; Fri, 10 Sep 2021 03:02:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232132AbhIJKCC (ORCPT + 99 others); Fri, 10 Sep 2021 06:02:02 -0400 Received: from a.mx.secunet.com ([62.96.220.36]:55304 "EHLO a.mx.secunet.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231991AbhIJKCC (ORCPT ); Fri, 10 Sep 2021 06:02:02 -0400 X-Greylist: delayed 599 seconds by postgrey-1.27 at vger.kernel.org; Fri, 10 Sep 2021 06:02:02 EDT Received: from localhost (localhost [127.0.0.1]) by a.mx.secunet.com (Postfix) with ESMTP id 236A62058E; Fri, 10 Sep 2021 11:50:51 +0200 (CEST) X-Virus-Scanned: by secunet Received: from a.mx.secunet.com ([127.0.0.1]) by localhost (a.mx.secunet.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SecrLvBUU0ec; Fri, 10 Sep 2021 11:50:49 +0200 (CEST) Received: from mailout1.secunet.com (mailout1.secunet.com [62.96.220.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by a.mx.secunet.com (Postfix) with ESMTPS id 3439D20422; Fri, 10 Sep 2021 11:50:49 +0200 (CEST) Received: from cas-essen-02.secunet.de (unknown [10.53.40.202]) by mailout1.secunet.com (Postfix) with ESMTP id 2B50A80004A; Fri, 10 Sep 2021 11:50:49 +0200 (CEST) Received: from mbx-essen-01.secunet.de (10.53.40.197) by cas-essen-02.secunet.de (10.53.40.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.14; Fri, 10 Sep 2021 11:50:48 +0200 Received: from gauss2.secunet.de (10.182.7.193) by mbx-essen-01.secunet.de (10.53.40.197) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.14; Fri, 10 Sep 2021 11:50:47 +0200 Received: by gauss2.secunet.de (Postfix, from userid 1000) id 668453183C70; Fri, 10 Sep 2021 11:50:48 +0200 (CEST) Date: Fri, 10 Sep 2021 11:50:48 +0200 From: Steffen Klassert To: Pavel Skripkin CC: , , , , , Subject: Re: [PATCH] net: xfrm: fix shift-out-of-bounds in xfrm_get_default Message-ID: <20210910095048.GL2319818@gauss3.secunet.de> References: <20210902190400.5257-1-paskripkin@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <20210902190400.5257-1-paskripkin@gmail.com> X-ClientProxiedBy: cas-essen-02.secunet.de (10.53.40.202) To mbx-essen-01.secunet.de (10.53.40.197) X-EXCLAIMER-MD-CONFIG: 2c86f778-e09b-4440-8b15-867914633a10 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 02, 2021 at 10:04:00PM +0300, Pavel Skripkin wrote: > Syzbot hit shift-out-of-bounds in xfrm_get_default. The problem was in > missing validation check for user data. > > up->dirmask comes from user-space, so we need to check if this value > is less than XFRM_USERPOLICY_DIRMASK_MAX to avoid shift-out-of-bounds bugs. > > Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy") > Reported-and-tested-by: syzbot+b2be9dd8ca6f6c73ee2d@syzkaller.appspotmail.com > Signed-off-by: Pavel Skripkin Applied, thanks Pavel!