From patchwork Sat Dec 30 00:13:05 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Biggers <ebiggers3@gmail.com>
X-Patchwork-Id: 854024
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="QrhHJEjz"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z7kVv2fSSz9s75
	for <patchwork-incoming@ozlabs.org>;
	Sat, 30 Dec 2017 11:15:19 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750927AbdL3APQ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 29 Dec 2017 19:15:16 -0500
Received: from mail-io0-f196.google.com ([209.85.223.196]:33565 "EHLO
	mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750854AbdL3APO (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 29 Dec 2017 19:15:14 -0500
Received: by mail-io0-f196.google.com with SMTP id t63so5434422iod.0;
	Fri, 29 Dec 2017 16:15:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=3gHRU0etJFPfeWc8PEvhf/NsZuuF91sFICWmhvHVfLU=;
	b=QrhHJEjzNaYzOE0leWwVNYjGGDfs4BOLYWXWunX3oUzm8hILcpnmFfXYlrCvQikDKl
	FsXpz3hJFxofg9lbd+Va3hBB0B+kpgR4MoT7GQ0pI78iY+crhhonncWjXZjJQVqazxu5
	xJ9PyDu3uz3Zl75MJ4Uo50mHFw6YC+9d5WGIYDkCMzsejc7GnFooYbIsf+dn4Ch0qqai
	lWOmMijw5ecAdXQIXeH4R1wWB5Vv7tV6m1ZWrXtbH7evklhy22ttaXN/cBtTLS4jfzL2
	R+rb88qOffoMGglM4EkFJWlX1oy1o20lzHWrnvFcm9dbW9biWcA1HvKZXi8ylpLVcjSv
	NDBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=3gHRU0etJFPfeWc8PEvhf/NsZuuF91sFICWmhvHVfLU=;
	b=XN1HY+IJnHO0w4QhCd45prT0Aa7qUv6Q39rRlMWquy4I/KAP8BAFFQDigcnllu5cW2
	2IAJmlRawltJ31orwN6I2so8MpjWOtZafWIgxnRmvYRVvw0Rj1s9YqI4NBfjA0VA/cCi
	5RiKI3wJvHdOvb8HFHKcRrJcUQ//PnYxaFoLYTT6QakOjcFSfUA2AZucWhRJ2jtK41xy
	QUwcJyCMNpHrHaH7hR51/g8CkegudOGZEodMkcUCK0dD8yPGoihmSl3PssVrIxPxA9G6
	Vp3Zk5w3oCbCqIN8vze+60FPHxqx8Ha8gL/iOHB+Vod+KJiAOH2P0am5NAWaWWjpxAAc
	MmLQ==
X-Gm-Message-State: AKGB3mJ2PLChDx9xTLIdfCwJ5kbcX/gkghPNjCY9SN/kpFDgDuquOTO1
	RPApNCBUVyW+SpYukBzKHa+zjwCt
X-Google-Smtp-Source: 
 ACJfBosjduBqihm9jIM1Q5CiseYSMM8npy2wcTFeSeDywbvo+q1VBrTu5ti2VDJGmoOY+M8BjdX9gw==
X-Received: by 10.107.78.21 with SMTP id c21mr31607335iob.66.1514592913858;
	Fri, 29 Dec 2017 16:15:13 -0800 (PST)
Received: from zzz.Home (h184-60-19-231.mdsnwi.dsl.dynamic.tds.net.
	[184.60.19.231]) by smtp.gmail.com with ESMTPSA id
	w18sm2715141iod.42.2017.12.29.16.15.12
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 29 Dec 2017 16:15:12 -0800 (PST)
From: Eric Biggers <ebiggers3@gmail.com>
To: netdev@vger.kernel.org, Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"David S . Miller" <davem@davemloft.net>
Cc: Alexander Potapenko <glider@google.com>,
	Dmitry Vyukov <dvyukov@google.com>, Kostya Serebryany <kcc@google.com>,
	syzkaller <syzkaller@googlegroups.com>,
	Eric Biggers <ebiggers@google.com>, stable@vger.kernel.org
Subject: [PATCH] af_key: fix buffer overread in verify_address_len()
Date: Fri, 29 Dec 2017 18:13:05 -0600
Message-Id: <20171230001305.15553-1-ebiggers3@gmail.com>
X-Mailer: git-send-email 2.15.1
In-Reply-To: 
 <CACT4Y+bVLWvMTqf4PoOJtu4_r5GseVAjDqE53kvm87ocxQz-ww@mail.gmail.com>
References: 
 <CACT4Y+bVLWvMTqf4PoOJtu4_r5GseVAjDqE53kvm87ocxQz-ww@mail.gmail.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Biggers <ebiggers@google.com>

If a message sent to a PF_KEY socket ended with one of the extensions
that takes a 'struct sadb_address' but there were not enough bytes
remaining in the message for the ->sa_family member of the 'struct
sockaddr' which is supposed to follow, then verify_address_len() read
past the end of the message, into uninitialized memory.  Fix it by
returning -EINVAL in this case.

This bug was found using syzkaller with KMSAN.

Reproducer:

	#include <linux/pfkeyv2.h>
	#include <sys/socket.h>
	#include <unistd.h>

	int main()
	{
		int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2);
		char buf[24] = { 0 };
		struct sadb_msg *msg = (void *)buf;
		struct sadb_address *addr = (void *)(msg + 1);

		msg->sadb_msg_version = PF_KEY_V2;
		msg->sadb_msg_type = SADB_DELETE;
		msg->sadb_msg_len = 3;
		addr->sadb_address_len = 1;
		addr->sadb_address_exttype = SADB_EXT_ADDRESS_SRC;

		write(sock, buf, 24);
	}

Reported-by: Alexander Potapenko <glider@google.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 net/key/af_key.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 3dffb892d52c..596499cc8b2f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -401,6 +401,11 @@ static int verify_address_len(const void *p)
 #endif
 	int len;
 
+	if (sp->sadb_address_len <
+	    DIV_ROUND_UP(sizeof(*sp) + offsetofend(typeof(*addr), sa_family),
+			 sizeof(uint64_t)))
+		return -EINVAL;
+
 	switch (addr->sa_family) {
 	case AF_INET:
 		len = DIV_ROUND_UP(sizeof(*sp) + sizeof(*sin), sizeof(uint64_t));