| Message ID | 20200721132358.966099-1-salyzyn@android.com |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | David Miller |
| Headers | show |
| Series | af_key: pfkey_dump needs parameter validation | expand |
On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote: > In pfkey_dump() dplen and splen can both be specified to access the > xfrm_address_t structure out of bounds in__xfrm_state_filter_match() > when it calls addr_match() with the indexes. Return EINVAL if either > are out of range. > > Signed-off-by: Mark Salyzyn <salyzyn@android.com> > Cc: netdev@vger.kernel.org > Cc: linux-kernel@vger.kernel.org > Cc: kernel-team@android.com > --- > Should be back ported to the stable queues because this is a out of > bounds access. Please do a v2 and add a proper 'Fixes' tag if this is a fix that needs to be backported. Thanks!
On 7/22/20 2:33 AM, Steffen Klassert wrote: > On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote: >> In pfkey_dump() dplen and splen can both be specified to access the >> xfrm_address_t structure out of bounds in__xfrm_state_filter_match() >> when it calls addr_match() with the indexes. Return EINVAL if either >> are out of range. >> >> Signed-off-by: Mark Salyzyn <salyzyn@android.com> >> Cc: netdev@vger.kernel.org >> Cc: linux-kernel@vger.kernel.org >> Cc: kernel-team@android.com >> --- >> Should be back ported to the stable queues because this is a out of >> bounds access. > Please do a v2 and add a proper 'Fixes' tag if this is a fix that > needs to be backported. > > Thanks! Confused because this code was never right? From 2008 there was a rewrite that instantiated this fragment of code so that it could handle continuations for overloaded receive queues, but it was not right before the adjustment. Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP entries non-atomically") that is reaching back more than 12 years and the blame is poorly aimed AFAIK. Sincerely -- Mark Salyzyn
On Wed, Jul 22, 2020 at 03:20:59AM -0700, Mark Salyzyn wrote: > On 7/22/20 2:33 AM, Steffen Klassert wrote: > > On Tue, Jul 21, 2020 at 06:23:54AM -0700, Mark Salyzyn wrote: > > > In pfkey_dump() dplen and splen can both be specified to access the > > > xfrm_address_t structure out of bounds in__xfrm_state_filter_match() > > > when it calls addr_match() with the indexes. Return EINVAL if either > > > are out of range. > > > > > > Signed-off-by: Mark Salyzyn <salyzyn@android.com> > > > Cc: netdev@vger.kernel.org > > > Cc: linux-kernel@vger.kernel.org > > > Cc: kernel-team@android.com > > > --- > > > Should be back ported to the stable queues because this is a out of > > > bounds access. > > Please do a v2 and add a proper 'Fixes' tag if this is a fix that > > needs to be backported. > > > > Thanks! > > Confused because this code was never right? From 2008 there was a rewrite > that instantiated this fragment of code so that it could handle > continuations for overloaded receive queues, but it was not right before the > adjustment. > > Fixes: 83321d6b9872b94604e481a79dc2c8acbe4ece31 ("[AF_KEY]: Dump SA/SP > entries non-atomically") > > that is reaching back more than 12 years and the blame is poorly aimed > AFAIK. This is just that the stable team knows how far they need to backport it. If this was never right, then the initial git commit is the right one for the fixes tag e.g. 'Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")'
diff --git a/net/key/af_key.c b/net/key/af_key.c index b67ed3a8486c..dd2a684879de 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1849,6 +1849,13 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms if (ext_hdrs[SADB_X_EXT_FILTER - 1]) { struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1]; + if ((xfilter->sadb_x_filter_splen >= + (sizeof(xfrm_address_t) << 3)) || + (xfilter->sadb_x_filter_dplen >= + (sizeof(xfrm_address_t) << 3))) { + mutex_unlock(&pfk->dump_lock); + return -EINVAL; + } filter = kmalloc(sizeof(*filter), GFP_KERNEL); if (filter == NULL) { mutex_unlock(&pfk->dump_lock);
In pfkey_dump() dplen and splen can both be specified to access the xfrm_address_t structure out of bounds in__xfrm_state_filter_match() when it calls addr_match() with the indexes. Return EINVAL if either are out of range. Signed-off-by: Mark Salyzyn <salyzyn@android.com> Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: kernel-team@android.com --- Should be back ported to the stable queues because this is a out of bounds access. net/key/af_key.c | 7 +++++++ 1 file changed, 7 insertions(+)