Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp947766rwb; Wed, 26 Jul 2023 05:34:23 -0700 (PDT) X-Google-Smtp-Source: APBJJlE5kZ+uzoVyAFxA5gpD68hdi+8XwvqI+qcMJRz7EzL6zjQ5i5JF4hHdAUIf1YBbPKQUcv7Y X-Received: by 2002:a17:907:a067:b0:975:63f4:46 with SMTP id ia7-20020a170907a06700b0097563f40046mr1415434ejc.57.1690374863196; Wed, 26 Jul 2023 05:34:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690374863; cv=none; d=google.com; s=arc-20160816; b=oBmhmSuYyjzZ3mtGv/Yuyqx0GZIcv2GLLP6ynqlhnx9KCTccn7MI8pL9dS0CoA0LZm OaHDPTKn4Z/lZ2kT1ri1u1RKAT1q30hC+i8asZ7g4go7sf6kC5UatFXsyBlgPgELgm5X dwAmmBCgWqG1Q4wjBFIdD4gDsA3Rqfs0XuQwCEegsTn8Ze2VVzYBQj2X5azObv2qMBKG u94gMd4qODH/rQtI/h6RFqnoJKSxhz6l8Z7AcW+QZ//ILiI+ayQGmqRLxAG+65eL2jLu dfWxE/qQ+A00SDINEYgyoaU9prE3VlyS4Q4OpQXC179IewYlSI/zAzFYIdaHurf09FSV cBIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=GlE7U3j4m2VbUUhUHh4if6OeogyEgYHkdCcGr2GC+mY=; fh=nGWeP/WfoQ8qy2T8IhIsr2YWRLYpSYDAyxtH4ErUgMY=; b=gckls7tNXoG+DtJD9SvFbRRhTKSPrZbkR1GP3dFyhmGhp9JvGZAK/k/s/AHePeFMLm 7ew9r9xHaQirHBSOH+dmXwkbYL9hjSLyc8+QGJzzWl64uN1ryFtsaqoL1yonK54zXyAs c1eqO02WMfXcuOrMZI/GV4oSK+39TnjOEJPBmt2E57ODa9/7kOqXBooKbNIF0fJ8VYIj LI7h92u/SE/Vsw45iV+brBoESeWxosXQQUy3ya+6uo8MnwyDn+impvqxOVJ125IJL6iK raKKmlZhhz/ieHeksItQv/lfNYwsvb5BPsGo2Mlo+JiiQea7x29sW6UZWxMu/jVOSIsu 3bAQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=N8xqPWPA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id rs23-20020a170907037700b00992437c5880si10024333ejb.327.2023.07.26.05.33.57; Wed, 26 Jul 2023 05:34:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=N8xqPWPA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232503AbjGZLzQ (ORCPT + 99 others); Wed, 26 Jul 2023 07:55:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232376AbjGZLzN (ORCPT ); Wed, 26 Jul 2023 07:55:13 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 019EB106 for ; Wed, 26 Jul 2023 04:55:05 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 5556761ADB for ; Wed, 26 Jul 2023 11:55:05 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 36F7AC433CB; Wed, 26 Jul 2023 11:55:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1690372504; bh=5bSCzRai7BDolec9wDv9JgFOcpS52Iak09xrBEf8yiI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=N8xqPWPAfRjQd2Uh5S6GLG9JqxvkX7NFJrLHo9O/8oAHt/fPKpr9IL+5oPQejvhJq VEw2VOV0KAn6PFjBSnJxOjQFV6z35kcGq9XjU1pJcXW1a3F4W1dl9aMFDZC+gxpQOA vxnCcB2KHM/6Pl8aMpAB8ObiAWJSlOc9MTwKlU04d5sN3RVhoxHVPzMw9piYVLVnUa Byzbsv+tZSVneo/8xrtLvfEIvitiZxNu+6OdYE4ISCpbr/jsFlcjktg5ilCxlpjfXT 8gVFe01Yz5hNO0upNZqIQx9peBzbSR2HEn2Y6QC05E9zLLgEJubLa/MR06Bv6YSAcB 0ZGB3H4rZXqeg== Date: Wed, 26 Jul 2023 14:55:00 +0300 From: Leon Romanovsky To: Lin Ma Cc: steffen.klassert@secunet.com, herbert@gondor.apana.org.au, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v1] xfrm: add forgotten nla_policy for XFRMA_MTIMER_THRESH Message-ID: <20230726115500.GV11388@unreal> References: <20230723074110.3705047-1-linma@zju.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230723074110.3705047-1-linma@zju.edu.cn> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jul 23, 2023 at 03:41:10PM +0800, Lin Ma wrote: > The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change > message to user space") added one additional attribute named > XFRMA_MTIMER_THRESH and described its type at compat_policy > (net/xfrm/xfrm_compat.c). > > However, the author forgot to also describe the nla_policy at > xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4 > bytes) value can be faked as empty (0 bytes) by a malicious user, which > leads to 4 bytes overflow read and heap information leak when parsing > nlattrs. > > To exploit this, one malicious user can spray the SLUB objects and then > leverage this 4 bytes OOB read to leak the heap data into > x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to > userspace via copy_to_user_state_extra(...). > > The above bug is assigned CVE-2023-3773. This CVE is a joke, you need to be root to execute this attack. Anyway change is ok. Reviewed-by: Leon Romanovsky