From patchwork Tue Sep 20 20:05:13 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cengiz Can X-Patchwork-Id: 1680205 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=rxprKli/; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MXCGj70ppz1yqC for ; Wed, 21 Sep 2022 06:06:04 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1oajVC-0002Do-0j; Tue, 20 Sep 2022 20:05:54 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1oajV9-0002DL-R7 for kernel-team@lists.ubuntu.com; Tue, 20 Sep 2022 20:05:51 +0000 Received: from mail-wr1-f70.google.com (mail-wr1-f70.google.com [209.85.221.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 0D5683F12F for ; Tue, 20 Sep 2022 20:05:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1663704351; bh=t1cansG2R01NDusQIYwKY6skE92LruLH9SN/5ieMYTg=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=rxprKli/j61zpsWPGtuHmkhJ1s5AFIKVAJW1JeaPYVt60iyD2OJbV2tuO8BN90+Ap CMubIi4oKnpqTj9exqZkzSEzIYaFYxYcHF+62sH1sr4SFt1AHHMyDXQmus7dhyK1i3 s2DbIZ/rYi50sBZIBqxnPi5a888nWeZiKhYQwTV9VCBeqRA+B+hR5xPpGFK0/c9jRW hRYScXv0t+l0vGfCMp0ZOrcnT/evlfNlCM/54akzErCLAkCCYyDExg9mh6ewA0OguS FJz2kMeiOMsCR31oto9X2NtULJ+JujuNOkOf4CcMloG2JNwkRfZdl5yYUQ4J2sMvcT N6X8WZJtBcc3Q== Received: by mail-wr1-f70.google.com with SMTP id r23-20020adfb1d7000000b002286358a916so1592730wra.3 for ; Tue, 20 Sep 2022 13:05:51 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date; bh=t1cansG2R01NDusQIYwKY6skE92LruLH9SN/5ieMYTg=; b=lm8ul1Em4XjaaW5Jv1cSZtoOENcPeYxM6A3FQU0AFheBgLjD4YwjlRA3ZQmgWAVMhb IcZPtbmFsTbvh/+FGU5nQ9oDv6y5wKGAsmxX9w2bp2plVqfZXGtFNQwX6dlKKQNVEIJx bDUUHSzEjAAyMi+IwzSz0EOccKjtUr8ZkxROQrz+iwMjW7PB3/cl8b9qwO2fmlRK0j18 HPIq0dEi8zdPRNVOIlrYnfAgR/8P+oci70zHPARzPQAusydWxq0YkwrMY+0CfUhANqMF d7/mYUjTc/7J5g8M0cf8QTjm0lu2hY7T+MbimmofG/8PvCCD7MCtfQjmjEUGFV8qJO7y jUnA== X-Gm-Message-State: ACrzQf0FXCSF3RRcgNxaOEgiXys/90MJkaFHMJrmvk5f1p4iwak7U2SN JJrUmGgd0RlfhEb1/eheZ42Yps7bg41wXuJtEGoSoLqW52aSIFNv0kcyJ8UjQg4MBp14ALXLFsI e5HYVFWbjf0E5XsBkmWtx3lcKPLdDR6ozN/GmPGn6AA== X-Received: by 2002:adf:a31d:0:b0:22a:e41f:3ce4 with SMTP id c29-20020adfa31d000000b0022ae41f3ce4mr12546247wrb.240.1663704350449; Tue, 20 Sep 2022 13:05:50 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5wI85FvCodIz4ODgzLkS0gm433fxLKs5nTOu691PdPD0Iod33QTx7BLcv9iNfFzo8msrru3A== X-Received: by 2002:adf:a31d:0:b0:22a:e41f:3ce4 with SMTP id c29-20020adfa31d000000b0022ae41f3ce4mr12546238wrb.240.1663704350260; Tue, 20 Sep 2022 13:05:50 -0700 (PDT) Received: from localhost ([2001:67c:1560:8007::aac:c03c]) by smtp.gmail.com with ESMTPSA id k4-20020a05600c1c8400b003b33943ce5esm795440wms.32.2022.09.20.13.05.49 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 20 Sep 2022 13:05:49 -0700 (PDT) From: Cengiz Can To: kernel-team@lists.ubuntu.com Subject: [SRU Bionic] af_key: Do not call xfrm_probe_algs in parallel Date: Tue, 20 Sep 2022 23:05:13 +0300 Message-Id: <20220920200515.132111-2-cengiz.can@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220920200515.132111-1-cengiz.can@canonical.com> References: <20220920200515.132111-1-cengiz.can@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Herbert Xu When namespace support was added to xfrm/afkey, it caused the previously single-threaded call to xfrm_probe_algs to become multi-threaded. This is buggy and needs to be fixed with a mutex. Reported-by: Abhishek Shah Fixes: 283bc9f35bbb ("xfrm: Namespacify xfrm state/policy locks") Signed-off-by: Herbert Xu Signed-off-by: Steffen Klassert CVE-2022-3028 (cherry picked from commit ba953a9d89a00c078b85f4b190bc1dde66fe16b5) Signed-off-by: Cengiz Can --- net/key/af_key.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net/key/af_key.c b/net/key/af_key.c index f754f53527b21..29274f9b702ad 100644 --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -1707,9 +1707,12 @@ static int pfkey_register(struct sock *sk, struct sk_buff *skb, const struct sad pfk->registered |= (1<sadb_msg_satype); } + mutex_lock(&pfkey_mutex); xfrm_probe_algs(); supp_skb = compose_sadb_supported(hdr, GFP_KERNEL | __GFP_ZERO); + mutex_unlock(&pfkey_mutex); + if (!supp_skb) { if (hdr->sadb_msg_satype != SADB_SATYPE_UNSPEC) pfk->registered &= ~(1<sadb_msg_satype);