Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Date:   Tue, 25 Jul 2023 13:35:14 +0200
From:   Simon Horman <simon.horman@corigine.com>
To:     Lin Ma <linma@zju.edu.cn>
Cc:     steffen.klassert@secunet.com, herbert@gondor.apana.org.au,
        davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: [PATCH v1] xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH
Message-ID: <ZL+zcukc8fscMrYG@corigine.com>
References: <20230723074110.3705047-1-linma@zju.edu.cn>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20230723074110.3705047-1-linma@zju.edu.cn>
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?pvc1M2m5Wax0Rmp4KtZJYGt8ahmA3yKLNvPe38J1pBSfvz9oa5tt2Fjrox/O?=
 =?us-ascii?Q?qOLUy5+AJCL+fAy3GGkhfe/g9ozPLSw9Qe0sg/JEZoWjPzrqcEBgjW+4gvgL?=
 =?us-ascii?Q?RZfpcprH4MnZicsY77lDjS81U1o9Fj15mx5j2Xybd1t2i60wVYwyiKSWPv10?=
 =?us-ascii?Q?XGMLVZajmmDJM7MjEb/hU/bVlUkZEXf7JdAX3NYAdDkjiUEsrF8xd92Wgrcy?=
 =?us-ascii?Q?aBMM6BzZBLTIyinPTQLbM7qaPjEwqqrXCNhtb3MPlstx0wKKhE4ymh+ppjG6?=
 =?us-ascii?Q?8XTLGK9kEcqB5KFz4wHJR0vezIMHR+fEyPB9Vtnk81aTsQAaquUU6EcyEjIt?=
 =?us-ascii?Q?SPMhOlx6niBjYct8ueu7CVKX0jn5onZ6sbJmbXxIXvKTumexruUEmEgljKt6?=
 =?us-ascii?Q?hulSZR5aPgnOoB7WkhVuYPvsbfvMu8h5c1l3eO74+Y7Lyu8BuemvIHMpLSJ1?=
 =?us-ascii?Q?PPEaPt+oRXzhzIPFdCaeJYViuoOJzCMSxAUbih5idem+lcNBtmkbIgvVehI+?=
 =?us-ascii?Q?VAernDrPtKlNwetj1j4i5xHvLfpbbosACEBssi9NEmbXIrGohTXqDoA6XAGj?=
 =?us-ascii?Q?FKgRuhjw16xk1vflDSbKnUnWi6r+TALn2m5qzkN2EpyF659gXghVCrOcMAu7?=
 =?us-ascii?Q?pInVyp7ffp2Z+zCbzIc2rNi0mXhsR597A3i2r7pYpNgQ+nC0V5lEEumHEVnn?=
 =?us-ascii?Q?eUj1cygkasFaKCw/75yU1tNRNzr1+A5/Secnq3qcyvHQWjhcUlr/cthhXXoQ?=
 =?us-ascii?Q?FEnnjafxGJHVe1HdUja8cnb9lTk1Y3tjsDZjJeQZDkGUSM/Zg0Z/97/EFbt1?=
 =?us-ascii?Q?fxnalcVzZvdEk6LGvoJpHhO/d++ju02VBS1fwUzABJ/nOeZ+Y72veDmRCp2i?=
 =?us-ascii?Q?LMOjlOC9ESmHkvkrxIJQNDhHwlKW9Hsk6nMPKnuhuD0R991/K7QjCkBmo7t2?=
 =?us-ascii?Q?na0qCeIxwFYHgF3Ue71uoCF4Uk17Mzi6C1dg8INGC2yeXj6GusFEz4j3R0iW?=
 =?us-ascii?Q?+ig1s/7eA9umYTTHr8lyyRk+2jmlDVGXy1Bz0cPCxhY0ukV3uYA0AULDLiSe?=
 =?us-ascii?Q?6J6G4638BgVYEqekk3vqH8mpjoykz7FRV+HjlJ49nWJ5hiU90voL05FetJ+D?=
 =?us-ascii?Q?WoShiKO3Lqspdt/r4Bo3U8cghtkYmLqiZYghFMm7UYWq/UwIMWtyJ5hG/KUU?=
 =?us-ascii?Q?PK9FgK9zFx2Z8Kwr+WaPuJSs39hvQr6ALHo58iwvLkhmvTBw0s1mVqrqnLnE?=
 =?us-ascii?Q?OSP6LDmRJ+hafPtbyg+1UT8+GStlp9Do94gLpetQZVkrh361YMIrHVoUZvGj?=
 =?us-ascii?Q?qOCAe2S/4mxZR9fb6vseiwrMs72qUvLDoyUnz2A1QILEPFzDq6M2UABQ/sB8?=
 =?us-ascii?Q?DgGd8gUFJ5i76DH8kR2PlW2C8S1CBrhW/qVc9msfs4Fypw/lQpAauFZS4zdM?=
 =?us-ascii?Q?QEihvIAbAhq8jGt/jIxP1pCJ3HxjcpoIiLz5fkuPGjKBiG2iGb7LSF1tqTFl?=
 =?us-ascii?Q?63IDIyrJd7D8P5djnllojvbV7o2RtJM3wWM2z6Kc1UytF6zD/jvygKv2kHst?=
 =?us-ascii?Q?KhUVXvMvo5dNITgnlQe+M2rW2zjZ2OWbjAWDZ7bhWOg/PTn46uTpd/vwQdcv?=
 =?us-ascii?Q?KdvPecFI2qBYtKJaSfU/aZ/lQeJFh2DpsVJfaZpnUrrchVHnnAytCJtCDVr5?=
 =?us-ascii?Q?vVWbsw=3D=3D?=
X-OriginatorOrg: corigine.com
X-MS-Exchange-CrossTenant-Network-Message-Id: febe403b-101b-43d4-acb8-08db8d0339ca
X-MS-Exchange-CrossTenant-AuthSource: PH0PR13MB4842.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jul 2023 11:35:19.8799
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: fe128f2c-073b-4c20-818e-7246a585940c
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: fHXwYal1bPWVVHO43VwkkJfQz7r4/5rCnxY8/DerYLMjX0vxj6OsCB892pRK4GaNuoVWLSOITd9Rdpmdt8/dh0kWnZMPXuwfqDLfzAVAZnk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH8PR13MB6184
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Sun, Jul 23, 2023 at 03:41:10PM +0800, Lin Ma wrote:
> The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change
> message to user space") added one additional attribute named
> XFRMA_MTIMER_THRESH and described its type at compat_policy
> (net/xfrm/xfrm_compat.c).
> 
> However, the author forgot to also describe the nla_policy at
> xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4
> bytes) value can be faked as empty (0 bytes) by a malicious user, which
> leads to 4 bytes overflow read and heap information leak when parsing
> nlattrs.
> 
> To exploit this, one malicious user can spray the SLUB objects and then
> leverage this 4 bytes OOB read to leak the heap data into
> x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to
> userspace via copy_to_user_state_extra(...).
> 
> The above bug is assigned CVE-2023-3773. To fix it, this commit just 
> completes the nla_policy description for XFRMA_MTIMER_THRESH, which 
> enforces the length check and avoids such OOB read.
> 
> Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space")
> Signed-off-by: Lin Ma <linma@zju.edu.cn>

Reviewed-by: Simon Horman <simon.horman@corigine.com>