From patchwork Sat Dec 30 00:15:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 854025 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="PGcld4b8"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3z7kXz3CHJz9s75 for ; Sat, 30 Dec 2017 11:17:07 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750947AbdL3ARE (ORCPT ); Fri, 29 Dec 2017 19:17:04 -0500 Received: from mail-it0-f68.google.com ([209.85.214.68]:33988 "EHLO mail-it0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750855AbdL3ARD (ORCPT ); Fri, 29 Dec 2017 19:17:03 -0500 Received: by mail-it0-f68.google.com with SMTP id m11so4997166iti.1; Fri, 29 Dec 2017 16:17:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=MAvs5diwtclT5QWL07E5BAEBPV5WI0wo20O0NTMSYIE=; b=PGcld4b8neR7G6ji6PoMKwHrqt6L2FSjfOsDW7YnnuGkrnTSsbd6WvvVBKRpDXgAh9 pu8vaTdp9WJ0H9Y6K5EpZtRySG3JQJpnZ8Kc0Hjq1zRQYRGopI1hLLFarCAN6wvokzHX AAX0/hpYaMX9vn3FB3RY4R08yyZk4FT1AUQBfxN0Zla92nFP/YE1WjMD6nm5JMU5jzb7 1JvRCxg7ZnlfWZfYgxx2Vh0bLDPNRKyc4sUKjLfqcKFl2TJB6bwt+3JgWVEFtGu52Tcq HBjxflm078RLC8qBgvSRRc60Hy86G20AmX4Jm0jLyDdwl4MUcxhc77lw6ZF7MSODY9cG Tj8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=MAvs5diwtclT5QWL07E5BAEBPV5WI0wo20O0NTMSYIE=; b=VAIrGQ0QOXIssX/pNKJym/BN+e9ow8NFGMGctr1lXt6b2QmRhMJy3N/zbeExYNYlYh 1PKpF1ousbT3YwIITqInDboTuCU3f6JEaY/IGFVWrQyr/PcamEe7mxeGWsmhZ7OEvjNf 57oirmH0xeDMXHUPP1MHGuaGoZF+SsVadHoBqe4S5y0lrLH5SwCnMTrNSExD16H8awGE QQe/wIldwU9voLZe3xjXImzG7KEceDwMfwZH5X4eKzImOEj3wPE6U8CKEyl8MuquGEDx KcKvylPXLTDXGf8ds54c2rBPTnxt3S+euxFvop2sqQZa4OXeBgzVfVM+jXTGFB6+2N7W HJ1A== X-Gm-Message-State: AKGB3mJ9U8fy6YUkosaVubtOYhh/vtP8jq9OT5osJ8uKpzOL+MoUfZ2+ 4CQejq6cr6cy1KC3Fc6xTXhpMuob X-Google-Smtp-Source: ACJfBovrwIDQpvMMCACWlRPOzGB0GRQfbZibujBBOZ3B/dNY05clvHGX872NsXnYt2foTh2ipN1EBQ== X-Received: by 10.36.1.4 with SMTP id 4mr48043057itk.59.1514593022609; Fri, 29 Dec 2017 16:17:02 -0800 (PST) Received: from zzz.Home (h184-60-19-231.mdsnwi.dsl.dynamic.tds.net. [184.60.19.231]) by smtp.gmail.com with ESMTPSA id 86sm15358037iom.31.2017.12.29.16.17.01 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 29 Dec 2017 16:17:02 -0800 (PST) From: Eric Biggers To: netdev@vger.kernel.org, Steffen Klassert , Herbert Xu , "David S . Miller" Cc: Alexander Potapenko , Dmitry Vyukov , Kostya Serebryany , syzkaller , Eric Biggers , stable@vger.kernel.org Subject: [PATCH] af_key: fix buffer overread in parse_exthdrs() Date: Fri, 29 Dec 2017 18:15:23 -0600 Message-Id: <20171230001523.15761-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.15.1 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Biggers If a message sent to a PF_KEY socket ended with an incomplete extension header (fewer than 4 bytes remaining), then parse_exthdrs() read past the end of the message, into uninitialized memory. Fix it by returning -EINVAL in this case. Reproducer: #include #include #include int main() { int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); char buf[17] = { 0 }; struct sadb_msg *msg = (void *)buf; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_DELETE; msg->sadb_msg_len = 2; write(sock, buf, 17); } Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers --- net/key/af_key.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/key/af_key.c b/net/key/af_key.c index 596499cc8b2f..d40861a048fe 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -516,6 +516,9 @@ static int parse_exthdrs(struct sk_buff *skb, const struct sadb_msg *hdr, void * uint16_t ext_type; int ext_len; + if (len < sizeof(*ehdr)) + return -EINVAL; + ext_len = ehdr->sadb_ext_len; ext_len *= sizeof(uint64_t); ext_type = ehdr->sadb_ext_type;