Message ID | 20190228031623.22184-1-yuehaibing@huawei.com |
---|---|
State | Awaiting Upstream |
Delegated to: | David Miller |
Headers | show |
Series | xfrm: policy: Fix possible user after free in __xfrm_policy_unlink | expand |
On Thu, Feb 28, 2019 at 11:16:23AM +0800, Yue Haibing wrote: > > diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c > index 8d1a898..b27eb742 100644 > --- a/net/xfrm/xfrm_policy.c > +++ b/net/xfrm/xfrm_policy.c > @@ -316,6 +316,8 @@ static void xfrm_policy_timer(struct timer_list *t) > goto out; > > dir = xfrm_policy_id2dir(xp->index); > + if (dir >= XFRM_POLICY_MAX * 2) > + dir = dir & XFRM_POLICY_MAX; This is still wrong. We shouldn't be allowing bogus policies to be in the system at all. I have digged deeper and the problem was introduced by: commit e682adf021be796940be6cc10c07be7f7398c220 Author: Fan Du <fan.du@windriver.com> Date: Thu Nov 7 17:47:48 2013 +0800 xfrm: Try to honor policy index if it's supplied by user Where the check for the user-supplied index is simply wrong in verify_newpolicy_info. So please fix it there. Thanks!
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 8d1a898..b27eb742 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c @@ -316,6 +316,8 @@ static void xfrm_policy_timer(struct timer_list *t) goto out; dir = xfrm_policy_id2dir(xp->index); + if (dir >= XFRM_POLICY_MAX * 2) + dir = dir & XFRM_POLICY_MAX; if (xp->lft.hard_add_expires_seconds) { time64_t tmo = xp->lft.hard_add_expires_seconds +