From patchwork Fri Jan  5 11:27:15 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tony Duan <yifeid@nvidia.com>
X-Patchwork-Id: 1882837
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61R61W6nz1yP5
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Jan 2024 22:28:02 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rLiMh-0004ry-3Y; Fri, 05 Jan 2024 11:27:51 +0000
Received: from mail-mw2nam12on2064.outbound.protection.outlook.com
 ([40.107.244.64] helo=NAM12-MW2-obe.outbound.protection.outlook.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yifeid@nvidia.com>) id 1rLiMc-0004oZ-AB
 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:46 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=mvgee+XTAoBtqJDXtlPix5d/s/D2mnNdOwvZqs8a2AhTTsAjcfHQXGulR3jvpA2rcZAP3eeKrEsr/ecyIORLoIE6U+yQiNamQ2vE2FoyU6GvTVD3Ksf205lsCPHcvzlolPd6/FAo7nCLMJyFrsdJ+5S57MyZX1qa6Hk9xpEozEG/WmwU8BoPSDLBQxQeFxGaiWirTmbSTEPWPpJaUYL+VBDJEY3xJ17ezwloGKQYjrLOM7hIDcScEpMJO62boUh4Up7A2/zJpwrLhG+zyabfAevyruXLP6GI8g3HwJyb3JmD2CUPx1GpZ/tnzNtAyzZG1t7V0fvjT7wjT1XlmUictA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=RX8fnPk/VMakhgZlbWHoAUXaqx1tkyC4JoeI+L/YzXk=;
 b=Y7lq/Pp86u7IeEBtcm52btYeQI7eEFCFOZBzmP9ujKYj26vLKbcv3/G0e8m3tUEUZ7ngJ8FGlczplPYs6PpT8sOBsilv9rwdkyX9644l3BK8tEwBDv/+gLmzpWIm5BNcIZ+nvEZFC4kNmmWU5ViiWyt8weS3PNzkrsqgKBOd4XCMYAqIMvc1uqnnZWbV/PCEyr+AbyeIp8iqFrGnYMvZ6olJokTFBQjBhjEUkXsLTR3zMJzAYy2Bbx1pn9BTD6xNnMo9MvEDYsZMAtbtIWI2yKa7ejyVRFFAbsJGl+Rl9gYP+AtPzdWn4cH1CONMm+C6yKHDIAKlOwys4HzaKnK74g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
Received: from BL0PR02CA0071.namprd02.prod.outlook.com (2603:10b6:207:3d::48)
 by BY5PR12MB4998.namprd12.prod.outlook.com (2603:10b6:a03:1d4::11)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.17; Fri, 5 Jan
 2024 11:27:42 +0000
Received: from MN1PEPF0000F0E5.namprd04.prod.outlook.com
 (2603:10b6:207:3d:cafe::8) by BL0PR02CA0071.outlook.office365.com
 (2603:10b6:207:3d::48) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.17 via Frontend
 Transport; Fri, 5 Jan 2024 11:27:41 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 MN1PEPF0000F0E5.mail.protection.outlook.com (10.167.242.43) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:41 +0000
Received: from rnnvmail202.nvidia.com (10.129.68.7) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:27 -0800
Received: from rnnvmail204.nvidia.com (10.129.68.6) by rnnvmail202.nvidia.com
 (10.129.68.7) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:26 -0800
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.129.68.6) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend
 Transport; Fri, 5 Jan 2024 03:27:26 -0800
Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx
 [10.9.150.35])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0p014036;
 Fri, 5 Jan 2024 13:27:23 +0200
From: Tony Duan <yifeid@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v2 1/6] net: af_key: fix sadb_x_filter
 validation
Date: Fri, 5 Jan 2024 05:27:15 -0600
Message-ID: <1704454040-11017-2-git-send-email-yifeid@nvidia.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E5:EE_|BY5PR12MB4998:EE_
X-MS-Office365-Filtering-Correlation-Id: 7b5a8432-ad81-47f3-38ea-08dc0de15454
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 zrZZ/mxdglYRCRW+2fy1gKS0yQk7o3CrbBp+/H6KewdUT/XhsTea8Ba3ELKgsvaYSnFeYq/RkWZb5VeIDWbz0BSFnwyzxBPcNEJ96bB/1OUP/tvou9/8T+k6A9sTZ2zfK674trv/h3ZLU6dvEi+9L7aq4EQjxDj+nCV/JB8P+iMC2rkX/xN6Yx1M9c3H02eJD2GAkA+xclAN4FRMMtZ2KrNIBYUSoFO1uihhXWFVn3xec5vT6vwj/BpPjKNC4rdW2zTr4VTm4Loz4su7MYFKA1H/eHIWN7O68KR8qvcHEbtPCvwx2AItsxBaMxMWjueVGJHvS3R/S1kWt/YePFf3OP6u/KcfDvWl7AXd2byZxJJbwcAC9svgdNZSNCGkTjNBjqpq0Jpi0bxk7VBTrY1ESrfU6GSpyiby7A7/j+8/GeHIBOdF2EDiEHQ73fpwBE4A4gD0sNafe9GNIGzIu21EUr/XSAwH5Flo89lrJgvwipvz/PrTVDtV96IjeWIBVI0hKCz9fRkzKmtMAHrfLFJB6G6I7PbaMuDCyTm6Mdu9BEAOYn7Cl3qDksONZ3kVhJG/5b/l1hhUc+stRQNEW+qykgbrnnCoLLqJ5LI4ftX0BfA8x2tR6gKXf3L2juaEUQkLK8MT+il6lZjQQAktqKRGHDjOp7YpHDr/cHDqSqB529W6CEscIWOHUN4kbLGeFiqD3qzZcM+S/kipenJZDcHGCkZa91vMJi8Y61TgA4Vy9sm2UXcgSThPFuqsHnY+i7zfMHGGdoCtPLm1awjljfaJBg==
X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE;
 SFS:(13230031)(4636009)(136003)(39860400002)(376002)(396003)(346002)(230922051799003)(451199024)(82310400011)(186009)(64100799003)(1800799012)(46966006)(40470700004)(36840700001)(36860700001)(82740400003)(26005)(2616005)(70586007)(336012)(2906002)(5660300002)(4326008)(8936002)(8676002)(36756003)(6916009)(316002)(70206006)(54906003)(966005)(478600001)(47076005)(41300700001)(83380400001)(86362001)(6666004)(7636003)(356005)(40460700003)(40480700001);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:41.1501 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 7b5a8432-ad81-47f3-38ea-08dc0de15454
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 MN1PEPF0000F0E5.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR12MB4998
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Lin Ma <linma@zju.edu.cn>

BugLink: https://bugs.launchpad.net/bugs/2044427

When running xfrm_state_walk_init(), the xfrm_address_filter being used
is okay to have a splen/dplen that equals to sizeof(xfrm_address_t)<<3.
This commit replaces >= to > to make sure the boundary checking is
correct.

Fixes: 37bd22420f85 ("af_key: pfkey_dump needs parameter validation")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 75065a8929069bc93181848818e23f147a73f83a)
Signed-off-by: Tony Duan <yifeid@nvidia.com>
---
 net/key/af_key.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/key/af_key.c b/net/key/af_key.c
index 7e45d7e..e62f1b9 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1848,9 +1848,9 @@ static int pfkey_dump(struct sock *sk, struct sk_buff *skb, const struct sadb_ms
 	if (ext_hdrs[SADB_X_EXT_FILTER - 1]) {
 		struct sadb_x_filter *xfilter = ext_hdrs[SADB_X_EXT_FILTER - 1];
 
-		if ((xfilter->sadb_x_filter_splen >=
+		if ((xfilter->sadb_x_filter_splen >
 			(sizeof(xfrm_address_t) << 3)) ||
-		    (xfilter->sadb_x_filter_dplen >=
+		    (xfilter->sadb_x_filter_dplen >
 			(sizeof(xfrm_address_t) << 3))) {
 			mutex_unlock(&pfk->dump_lock);
 			return -EINVAL;

From patchwork Fri Jan  5 11:27:16 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tony Duan <yifeid@nvidia.com>
X-Patchwork-Id: 1882839
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61RP642qz1yP5
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Jan 2024 22:28:17 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rLiMy-00054i-HZ; Fri, 05 Jan 2024 11:28:08 +0000
Received: from mail-dm6nam11on2078.outbound.protection.outlook.com
 ([40.107.223.78] helo=NAM11-DM6-obe.outbound.protection.outlook.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yifeid@nvidia.com>) id 1rLiMe-0004pw-L9
 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:48 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=PMyKYi5JCHUQf/YY1ymkvV9MaTD0CpyPAgUXnPChE8WYjkvh8y0tbMzFm4GaAH8yEVAUl1gweZIp3zl1RUSWUVxmahNd+kE708TXLbBdGCklGQ9/PIluPwLW8F95Zigj+XkKCEItou+AkhVqCGHzJ6z/5TJLQBZKPDTLFDhFHha08Sk0bD6ZCm/Gq6zDe61oyQOcELtC55zGVaXkze5zbtCs0hpBrL2WjU20wBr3YVElB2I+LZ+9OdxjxUCcNtNsqfJYiURx55vZv3Fu2Ws7SuKCQxOrzPIePENLs0qVIJfOy/o1Amf1zsaEhDsvb/1Jmkspgl/XBi19JFfWZ+tYUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=3i+DPeI327xDFVeZP96S708Uoybw1Z/gozp1zpykfOU=;
 b=dmtnsHX7b4bC2OyxPRI7Qk9LqRD8HVsCtWL3QRGYxWbTA4uV219Hdegg8anRVhZnyuTW5E+mXy6c1PqaxwgciyKFhoEk2I6Qdt1JfPmL/T2aUnZSZHYluqaUUYA+eZbTM/p0EOxaP7Oq65i+oiAwc5YSK7OlQeJFTSsLN04HWA70ooiMLJlheE5au2rD70ieK8+JH7U05pu0MFw9313Ax0CfHJ+HRr2Iv426uLIlo4dxkVQiu5APFWln+gWsKnglAUTxsvOrzfyhM07n3dttGi/6XhilfbJ47fDTgW9PTDm5v8vEo+PAz0plTt0UrWP2QwCF3dPCodX+jmDKc/HQfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
Received: from BL1PR13CA0411.namprd13.prod.outlook.com (2603:10b6:208:2c2::26)
 by DM6PR12MB4042.namprd12.prod.outlook.com (2603:10b6:5:215::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.17; Fri, 5 Jan
 2024 11:27:45 +0000
Received: from MN1PEPF0000F0E4.namprd04.prod.outlook.com
 (2603:10b6:208:2c2:cafe::30) by BL1PR13CA0411.outlook.office365.com
 (2603:10b6:208:2c2::26) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7181.9 via Frontend
 Transport; Fri, 5 Jan 2024 11:27:45 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 MN1PEPF0000F0E4.mail.protection.outlook.com (10.167.242.42) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:44 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:29 -0800
Received: from rnnvmail201.nvidia.com (10.129.68.8) by rnnvmail201.nvidia.com
 (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:28 -0800
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend
 Transport; Fri, 5 Jan 2024 03:27:28 -0800
Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx
 [10.9.150.35])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0q014036;
 Fri, 5 Jan 2024 13:27:25 +0200
From: Tony Duan <yifeid@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v2 2/6] net: xfrm: Amend XFRMA_SEC_CTX
 nla_policy structure
Date: Fri, 5 Jan 2024 05:27:16 -0600
Message-ID: <1704454040-11017-3-git-send-email-yifeid@nvidia.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E4:EE_|DM6PR12MB4042:EE_
X-MS-Office365-Filtering-Correlation-Id: 5c227224-cf0a-485d-4ad9-08dc0de1567b
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 vwPkKjjcmCTcatnhVFSgoqOI+PRUgdbQ3rz7q9jf+WgzQAEZVxb3EiCXx2gqhh8JJw8WCV1+sdgc/PBshteAGWdfG9Se3WKqBiWuPCWgJC0dFs/zZO9gZeTDeQv35mKKxqh9AXKhYfUc5xsv7Fu1oWwk6Lauf67OIm3Pg7XbSwjYOoF9aIPuhqWaiJn6oTxxbyB7w56h6mQ6sU7U3Q9hWoRBBx5p4Jm3BOtUmE7pNL/eYu6HQrhVRZxgQaZzkCZ1yRcu4ft5CQjelBodXylxtVoMbRJo1JxAj8w9RZ9Kux9QJhuI21K4EYIGR9qXbMsMnle2SOjMuM5QHCNnoOxcYPCsQcJ0B4RVeJVqB++LePi+yYpE00dWfMfT2HPbxc8LU1s2Tor8jb/XDjKp6XI1gj7WUFsctHJpy/5OYud/E7d5AaWGTvT9vY4C+2fNzc4bykYEDtbLxSvoQD/DHjkNg8CXnvn98yNsGfvox82Lu4cSQRjpoy3Zz7463VZ0SmXMXs3yWosnqQgWrup6jhNb8VAtXyEs3yHxDA2Ct9SQ0DscKcT3BrUHnJ4S9BoKCmtfWk7DG191NKUvWbtPGO6wqpcX+F0lK4sWY24j8cnQ0+vYxj5RoPjx8uLM8CKJr4kGGSXAANBf5tEwRNT10zreWDF4z+587IfByM/F5QuUZFw1/5aqjV2jF5pZBd8F2E0RwnRe+udZcnFZU6X1zBZ0wMOnbHJsWnI2JvcbAw8xmlywNzDgYKI0ULdS8iuJD3jM7kGEF7il4oJFS9HzXshI8wM21W6TqepDjRttQoSLato=
X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE;
 SFS:(13230031)(4636009)(396003)(376002)(346002)(39860400002)(136003)(230922051799003)(451199024)(186009)(82310400011)(64100799003)(1800799012)(46966006)(36840700001)(40470700004)(83380400001)(336012)(26005)(47076005)(2616005)(36860700001)(8936002)(8676002)(4326008)(478600001)(5660300002)(2906002)(966005)(6916009)(6666004)(54906003)(316002)(70206006)(70586007)(41300700001)(36756003)(82740400003)(356005)(7636003)(86362001)(40480700001)(40460700003);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:44.7459 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 5c227224-cf0a-485d-4ad9-08dc0de1567b
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 MN1PEPF0000F0E4.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR12MB4042
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Lin Ma <linma@zju.edu.cn>

BugLink: https://bugs.launchpad.net/bugs/2044427

According to all consumers code of attrs[XFRMA_SEC_CTX], like

* verify_sec_ctx_len(), convert to xfrm_user_sec_ctx*
* xfrm_state_construct(), call security_xfrm_state_alloc whose prototype
is int security_xfrm_state_alloc(.., struct xfrm_user_sec_ctx *sec_ctx);
* copy_from_user_sec_ctx(), convert to xfrm_user_sec_ctx *
...

It seems that the expected parsing result for XFRMA_SEC_CTX should be
structure xfrm_user_sec_ctx, and the current xfrm_sec_ctx is confusing
and misleading (Luckily, they happen to have same size 8 bytes).

This commit amend the policy structure to xfrm_user_sec_ctx to avoid
ambiguity.

Fixes: cf5cb79f6946 ("[XFRM] netlink: Establish an attribute policy")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit d1e0e61d617ba17aa516db707aa871387566bbf7)
Signed-off-by: Tony Duan <yifeid@nvidia.com>
---
 net/xfrm/xfrm_compat.c | 2 +-
 net/xfrm/xfrm_user.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/xfrm/xfrm_compat.c b/net/xfrm/xfrm_compat.c
index 8cbf45a..655fe4f 100644
--- a/net/xfrm/xfrm_compat.c
+++ b/net/xfrm/xfrm_compat.c
@@ -108,7 +108,7 @@ struct compat_xfrm_user_polexpire {
 	[XFRMA_ALG_COMP]	= { .len = sizeof(struct xfrm_algo) },
 	[XFRMA_ENCAP]		= { .len = sizeof(struct xfrm_encap_tmpl) },
 	[XFRMA_TMPL]		= { .len = sizeof(struct xfrm_user_tmpl) },
-	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_sec_ctx) },
+	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_user_sec_ctx) },
 	[XFRMA_LTIME_VAL]	= { .len = sizeof(struct xfrm_lifetime_cur) },
 	[XFRMA_REPLAY_VAL]	= { .len = sizeof(struct xfrm_replay_state) },
 	[XFRMA_REPLAY_THRESH]	= { .type = NLA_U32 },
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 58abcdd..2b9f760 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2864,7 +2864,7 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
 	[XFRMA_ALG_COMP]	= { .len = sizeof(struct xfrm_algo) },
 	[XFRMA_ENCAP]		= { .len = sizeof(struct xfrm_encap_tmpl) },
 	[XFRMA_TMPL]		= { .len = sizeof(struct xfrm_user_tmpl) },
-	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_sec_ctx) },
+	[XFRMA_SEC_CTX]		= { .len = sizeof(struct xfrm_user_sec_ctx) },
 	[XFRMA_LTIME_VAL]	= { .len = sizeof(struct xfrm_lifetime_cur) },
 	[XFRMA_REPLAY_VAL]	= { .len = sizeof(struct xfrm_replay_state) },
 	[XFRMA_REPLAY_THRESH]	= { .type = NLA_U32 },

From patchwork Fri Jan  5 11:27:17 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tony Duan <yifeid@nvidia.com>
X-Patchwork-Id: 1882836
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61Qx5kBCz1yP5
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Jan 2024 22:27:53 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rLiMc-0004oi-6S; Fri, 05 Jan 2024 11:27:46 +0000
Received: from mail-mw2nam12on2048.outbound.protection.outlook.com
 ([40.107.244.48] helo=NAM12-MW2-obe.outbound.protection.outlook.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yifeid@nvidia.com>) id 1rLiMY-0004nw-8v
 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:42 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ZRtyyrJwCy0OAZ6wAbrVddix1pOOiT++DL4Zb1QcaV8qDzjmg9UmJRw4TAGLnft5cKYbOPeg/e6axeJy4V8ErKLWMBoTD3U+KXG2wYRH77v/A5NAtTwQhCY6+hVz3LGeBcipKaaUlwwyiLRMp4pQytONaEJeMCzcCxrDzNG76eOg8T0/bH+ogN0kV5wUdJ4a8dalrd8T698uGeVnhHejLFdMCiaoUhCbZnly6PRSjErZtHKfIzTjOY4HrqEB61/jWaAL3sqlsO4zoZO1qaXG0Rkb3s3anqwAseVhyv0RIfRungJC9BVKk6uRGasQOKbQC8BFICeMOITtYfKXJi0pnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=EG0LTe7ldAs/L8u387f+Km3lbT1byOYRav/KWfZSZ3Y=;
 b=axcUk7eGQrTOeuov0OG53Bj4UJy6dU9Vlf8aEQ4Jq0bTiH+URxDxvFuXan1RdnQkiOR2QLCVFtsUYZLOIvrKZn9jBDrGhix59B1I5zQwpYP9JiRuk0rStwdl1u5ecsYH76bywlUldDAceQSMEc1WNvEsPbl3bNFJPd+Z40Zj9hDXTik4g9vIcpeEWhrt/ATPLFRQv8y85iQQS8QKpsPAJO0db8ooWf1ct0r36jDmHd6XjqmQwSzYjaRFvsijFFgGoLdI0lJ0YQs8rV3vTN4FyYNdAI+I1pmYcw28voyjeGJxKp+5ZuzbL7N8mrj3NBVvBvpoxoLelV34ZJBP45armQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.118.232) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
Received: from CH0PR03CA0020.namprd03.prod.outlook.com (2603:10b6:610:b0::25)
 by IA1PR12MB6092.namprd12.prod.outlook.com (2603:10b6:208:3ec::13)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16; Fri, 5 Jan
 2024 11:27:36 +0000
Received: from DS3PEPF000099DE.namprd04.prod.outlook.com
 (2603:10b6:610:b0:cafe::79) by CH0PR03CA0020.outlook.office365.com
 (2603:10b6:610:b0::25) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16 via Frontend
 Transport; Fri, 5 Jan 2024 11:27:36 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.232)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.118.232 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.118.232; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.118.232) by
 DS3PEPF000099DE.mail.protection.outlook.com (10.167.17.200) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:35 +0000
Received: from drhqmail201.nvidia.com (10.126.190.180) by mail.nvidia.com
 (10.127.129.5) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:30 -0800
Received: from drhqmail201.nvidia.com (10.126.190.180) by
 drhqmail201.nvidia.com (10.126.190.180) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.41; Fri, 5 Jan 2024 03:27:30 -0800
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.126.190.180) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend
 Transport; Fri, 5 Jan 2024 03:27:30 -0800
Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx
 [10.9.150.35])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0r014036;
 Fri, 5 Jan 2024 13:27:27 +0200
From: Tony Duan <yifeid@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v2 3/6] xfrm: Remove inner/outer modes
 from input path
Date: Fri, 5 Jan 2024 05:27:17 -0600
Message-ID: <1704454040-11017-4-git-send-email-yifeid@nvidia.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DS3PEPF000099DE:EE_|IA1PR12MB6092:EE_
X-MS-Office365-Filtering-Correlation-Id: 3d52e391-795a-4a8b-9280-08dc0de15135
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 8UzYKWPCcNQE2uYJHnUD2lDlLCogao2/4YlUONYAxjy3HlAz6zYsmwBAYArDFK1w4DIRfF05o05q/h0uVr9TqIgVOiT9JzPiliZRG+CXKAed+Vp8UL5rAckvVwgivKW3YfwqFqGIC7uMnJ8dZCoLfc9kY/zM0HHWVSPsjHJ2d6CQPIvSG5lJp6DpDIrY1ssC2jm2OlviwUjAKioE0R/A0DaEeD89doXwr5rE0GjlF1I7BEbX/wPnD/x2M+3ikXL5qnGigsKgx7tntqza+D4SZbOhVs1ZFEh99URsaoL2CvtJL5q9V38r2WbB862E8ahYQ/+tK+7EbzvXrs4BEdWCVRoh7aT+did3lOuqHcn2dVX/piKsJZWHFDkTHIXU6MRXnMXGADN9EpbUcR+bnkqt8SvK/qdH5AFZY6CFWT3tA+xrsn42DBtuyNqfqnSXK6xugIf7HRCTD2YBUbMG5DMmHXoTN1N00FRR+4ShGrruKofOVFOlEHXODjaXdP+5PrbAVzjp4wKCfEdGYrqZGLH9ICXnPWgU65pKUqIZ+ROVxDltNsCreIFJMAJUq9e3quMcWxYzbRG71RF290lyA0PSGMRB00v4sG0NsU8Van+a4xkekS1r95AaqvY8cUY8VVzHsnSCYKbUYbXwGixPvuaajNlF040gpWkYT7J0PF8lvCPpErw0SL9VhhPwQcYdOVPT0ZPm/aqxvQCWIqI8CnZKzrmZfcb5lXLuQjjbzfgAPbUUPDrUg0E8unO0qB8QD2PsXEDvwddTDct6KwtgrPqz7mahCsH0wLmxjI5501CD9+g=
X-Forefront-Antispam-Report: CIP:216.228.118.232; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc7edge1.nvidia.com; CAT:NONE;
 SFS:(13230031)(4636009)(136003)(376002)(346002)(39860400002)(396003)(230922051799003)(82310400011)(1800799012)(186009)(64100799003)(451199024)(40470700004)(46966006)(36840700001)(336012)(2616005)(478600001)(966005)(26005)(6666004)(47076005)(5660300002)(6916009)(2906002)(41300700001)(8676002)(70206006)(316002)(54906003)(4326008)(70586007)(8936002)(86362001)(82740400003)(36756003)(36860700001)(7636003)(356005)(83380400001)(40480700001)(40460700003);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:35.9629 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 3d52e391-795a-4a8b-9280-08dc0de15135
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.118.232];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 DS3PEPF000099DE.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6092
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Herbert Xu <herbert@gondor.apana.org.au>

BugLink: https://bugs.launchpad.net/bugs/2044427

The inner/outer modes were added to abstract out common code that
were once duplicated between IPv4 and IPv6.  As time went on the
abstractions have been removed and we are now left with empty
shells that only contain duplicate information.  These can be
removed one-by-one as the same information is already present
elsewhere in the xfrm_state object.

Removing them from the input path actually allows certain valid
combinations that are currently disallowed.  In particular, when
a transport mode SA sits beneath a tunnel mode SA that changes
address families, at present the transport mode SA cannot have
AF_UNSPEC as its selector because it will be erroneously be treated
as inter-family itself even though it simply sits beneath one.

This is a serious problem because you can't set the selector to
non-AF_UNSPEC either as that will cause the selector match to
fail as we always match selectors to the inner-most traffic.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 5f24f41e8ea62a6a9095f9bbafb8b3aebe265c68)
Signed-off-by: Tony Duan <yifeid@nvidia.com>
---
 net/xfrm/xfrm_input.c | 66 ++++++++++++++++++---------------------------------
 1 file changed, 23 insertions(+), 43 deletions(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index a686183..33c15fb2 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -231,9 +231,6 @@ static int xfrm4_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int err = -EINVAL;
 
-	if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPIP)
-		goto out;
-
 	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 		goto out;
 
@@ -269,8 +266,6 @@ static int xfrm6_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int err = -EINVAL;
 
-	if (XFRM_MODE_SKB_CB(skb)->protocol != IPPROTO_IPV6)
-		goto out;
 	if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 		goto out;
 
@@ -331,22 +326,26 @@ static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
  */
 static int
 xfrm_inner_mode_encap_remove(struct xfrm_state *x,
-			     const struct xfrm_mode *inner_mode,
 			     struct sk_buff *skb)
 {
-	switch (inner_mode->encap) {
+	switch (x->props.mode) {
 	case XFRM_MODE_BEET:
-		if (inner_mode->family == AF_INET)
+		switch (XFRM_MODE_SKB_CB(skb)->protocol) {
+		case IPPROTO_IPIP:
+		case IPPROTO_BEETPH:
 			return xfrm4_remove_beet_encap(x, skb);
-		if (inner_mode->family == AF_INET6)
+		case IPPROTO_IPV6:
 			return xfrm6_remove_beet_encap(x, skb);
+		}
 		break;
 	case XFRM_MODE_TUNNEL:
-		if (inner_mode->family == AF_INET)
+		switch (XFRM_MODE_SKB_CB(skb)->protocol) {
+		case IPPROTO_IPIP:
 			return xfrm4_remove_tunnel_encap(x, skb);
-		if (inner_mode->family == AF_INET6)
+		case IPPROTO_IPV6:
 			return xfrm6_remove_tunnel_encap(x, skb);
 		break;
+		}
 	}
 
 	WARN_ON_ONCE(1);
@@ -355,9 +354,7 @@ static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
 
 static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
 {
-	const struct xfrm_mode *inner_mode = &x->inner_mode;
-
-	switch (x->outer_mode.family) {
+	switch (x->props.family) {
 	case AF_INET:
 		xfrm4_extract_header(skb);
 		break;
@@ -369,17 +366,12 @@ static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
 		return -EAFNOSUPPORT;
 	}
 
-	if (x->sel.family == AF_UNSPEC) {
-		inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
-		if (!inner_mode)
-			return -EAFNOSUPPORT;
-	}
-
-	switch (inner_mode->family) {
-	case AF_INET:
+	switch (XFRM_MODE_SKB_CB(skb)->protocol) {
+	case IPPROTO_IPIP:
+	case IPPROTO_BEETPH:
 		skb->protocol = htons(ETH_P_IP);
 		break;
-	case AF_INET6:
+	case IPPROTO_IPV6:
 		skb->protocol = htons(ETH_P_IPV6);
 		break;
 	default:
@@ -387,7 +379,7 @@ static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
 		break;
 	}
 
-	return xfrm_inner_mode_encap_remove(x, inner_mode, skb);
+	return xfrm_inner_mode_encap_remove(x, skb);
 }
 
 /* Remove encapsulation header.
@@ -433,17 +425,16 @@ static int xfrm6_transport_input(struct xfrm_state *x, struct sk_buff *skb)
 }
 
 static int xfrm_inner_mode_input(struct xfrm_state *x,
-				 const struct xfrm_mode *inner_mode,
 				 struct sk_buff *skb)
 {
-	switch (inner_mode->encap) {
+	switch (x->props.mode) {
 	case XFRM_MODE_BEET:
 	case XFRM_MODE_TUNNEL:
 		return xfrm_prepare_input(x, skb);
 	case XFRM_MODE_TRANSPORT:
-		if (inner_mode->family == AF_INET)
+		if (x->props.family == AF_INET)
 			return xfrm4_transport_input(x, skb);
-		if (inner_mode->family == AF_INET6)
+		if (x->props.family == AF_INET6)
 			return xfrm6_transport_input(x, skb);
 		break;
 	case XFRM_MODE_ROUTEOPTIMIZATION:
@@ -461,7 +452,6 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 {
 	const struct xfrm_state_afinfo *afinfo;
 	struct net *net = dev_net(skb->dev);
-	const struct xfrm_mode *inner_mode;
 	int err;
 	__be32 seq;
 	__be32 seq_hi;
@@ -491,7 +481,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			goto drop;
 		}
 
-		family = x->outer_mode.family;
+		family = x->props.family;
 
 		/* An encap_type of -1 indicates async resumption. */
 		if (encap_type == -1) {
@@ -675,17 +665,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		XFRM_MODE_SKB_CB(skb)->protocol = nexthdr;
 
-		inner_mode = &x->inner_mode;
-
-		if (x->sel.family == AF_UNSPEC) {
-			inner_mode = xfrm_ip2inner_mode(x, XFRM_MODE_SKB_CB(skb)->protocol);
-			if (inner_mode == NULL) {
-				XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
-				goto drop;
-			}
-		}
-
-		if (xfrm_inner_mode_input(x, inner_mode, skb)) {
+		if (xfrm_inner_mode_input(x, skb)) {
 			XFRM_INC_STATS(net, LINUX_MIB_XFRMINSTATEMODEERROR);
 			goto drop;
 		}
@@ -700,7 +680,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 		 * transport mode so the outer address is identical.
 		 */
 		daddr = &x->id.daddr;
-		family = x->outer_mode.family;
+		family = x->props.family;
 
 		err = xfrm_parse_spi(skb, nexthdr, &spi, &seq);
 		if (err < 0) {
@@ -730,7 +710,7 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 
 		err = -EAFNOSUPPORT;
 		rcu_read_lock();
-		afinfo = xfrm_state_afinfo_get_rcu(x->inner_mode.family);
+		afinfo = xfrm_state_afinfo_get_rcu(x->props.family);
 		if (likely(afinfo))
 			err = afinfo->transport_finish(skb, xfrm_gro || async);
 		rcu_read_unlock();

From patchwork Fri Jan  5 11:27:18 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Tony Duan <yifeid@nvidia.com>
X-Patchwork-Id: 1882840
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61Rc1R4dz1yP5
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Jan 2024 22:28:28 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rLiN6-0005It-LD; Fri, 05 Jan 2024 11:28:19 +0000
Received: from mail-co1nam11on2077.outbound.protection.outlook.com
 ([40.107.220.77] helo=NAM11-CO1-obe.outbound.protection.outlook.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yifeid@nvidia.com>) id 1rLiMg-0004qu-6y
 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:50 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=ZYVCIWqTIx/ZQg7BXdp1SQ9VNtpV6d3BuorAVpib8Tmjy9Bw92D0nLQrY/dSUQnAIspj4yFHJIxWZICTXUesl0jXSVCw/QnS6+nHF8DX6bgyDqBK2KOLHa396+tJKeaBXRWutoXeBkXfXWcaMrFm/LbdXOgMP78LxmCsRpGeFtkEoBAoUG4S80am4VZetNNaa9LNWMjiNRRJ0IuOOCJKqCtHIl547Zn2S9brc98HKIvsHhPzgie5L32DHx1VaNefv5gahu/ZN0ZZ9l8dHJsXfLe4OtCDSchOM9u2vp2VGo3tPr6NNA7hihhNeRo/AB/P8kuFL4ReAUgGXgKZZ2c0LA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=+No7uJsUW1N+cHRA9Nk4E7QwMoZOtgskn+68XYuDyok=;
 b=fSpg5MnBFx9n9HOIGdNS/ywjzYS4EURKMTWDxMy+cQP1onyvZTOqKvDwljcTc9+LVq8Ju/JdG7G7zN0cqExTqEnciat0QQqCX24/KHXQEHdBXHfeL2v7ULAIWjAg8Pck50snKDbVr2Ukx76Cv4Qdfc5zTEZuyPrqUSA+2pvtkQQs+/3KCBlvwaleRGSggjQXl12AdCUXbIYOhSHwokvIMWppZV7YZYlSxC9o8bFNCUkj9xDLxzdwVxB03CWSY7JmnBoepQWyXC+Xq7J3r2TiwpdUVGB7++8YvYtrk3bB7r10065gaq2KodhsJLAuqSvWmCE3LnjhZ1CbNTQc37a0rg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.118.233) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
Received: from SJ2PR07CA0024.namprd07.prod.outlook.com (2603:10b6:a03:505::14)
 by DS0PR12MB8072.namprd12.prod.outlook.com (2603:10b6:8:dd::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.17; Fri, 5 Jan
 2024 11:27:44 +0000
Received: from MWH0EPF000989E5.namprd02.prod.outlook.com
 (2603:10b6:a03:505:cafe::3) by SJ2PR07CA0024.outlook.office365.com
 (2603:10b6:a03:505::14) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16 via Frontend
 Transport; Fri, 5 Jan 2024 11:27:44 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.118.233 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.118.233) by
 MWH0EPF000989E5.mail.protection.outlook.com (10.167.241.132) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:44 +0000
Received: from drhqmail203.nvidia.com (10.126.190.182) by mail.nvidia.com
 (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:32 -0800
Received: from drhqmail203.nvidia.com (10.126.190.182) by
 drhqmail203.nvidia.com (10.126.190.182) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.41; Fri, 5 Jan 2024 03:27:32 -0800
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.126.190.182) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend
 Transport; Fri, 5 Jan 2024 03:27:31 -0800
Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx
 [10.9.150.35])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0s014036;
 Fri, 5 Jan 2024 13:27:28 +0200
From: Tony Duan <yifeid@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v2 4/6] xfrm: Silence warnings
 triggerable by bad packets
Date: Fri, 5 Jan 2024 05:27:18 -0600
Message-ID: <1704454040-11017-5-git-send-email-yifeid@nvidia.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWH0EPF000989E5:EE_|DS0PR12MB8072:EE_
X-MS-Office365-Filtering-Correlation-Id: 9b53211d-465b-4663-7467-08dc0de15612
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 cdf++zrBedl3+CyrZSaROjzHSsO4V+qiIUOEzaKLOLKu+kLkJlAvk+m+YJKHya7+A5/tw2lsClS5ka7bFRj8Ky3K6ERS3qUa0sp+FxZtj2OPBd+a9MT/I+ISXPqit7nOAu9K1l/mjJUUI2bY9jryEwWUsES7KzHUBn+yaDfSNWNMnXK0o01uZABQwLzTWW/GlJzzxbPSuGC3CAFpAoe+Zr2z6s/7zptw1XhW9pjmjWU3kO6XacnMUquf68AWG7Tw6T4H6i3NT7e9BX2K+LZLG8QtstNAd7Mk8uc8gZQ6Sw0EWr0R8dmJGjMO1bVfqT/zrbUxdi4Z0cxvoZVxLqqwDNmC5sD7tnjVKPqZ4c1o3qYjEivZvxEk/0UvD3jvxZfPUU+uG94qt0YjXmxFyzjXzEkHzVhNy3Vv6Okxqx7grDUmhth1PZtDjM6CMlMQH/zkB3+S0+whVRRRIJMM34MsvzTjhAV5AnwrFFLuDe1LuunlXkL/bThNDBeAwrhUPXrFznRAUGWfa1iGs+oHKgoDrXpdsuQYydWTfPQmcmk7+H5Hn5uQBcSQtLqDpaumWrrARbkDmios+0dyhhHjb0K94ycoHjWYDBriSbbzfcRd2WvdX2/LP5MgjIAOHQ1TPoyssYJDBrgXZoyYDG6W1tuj41Uz+UYyIKQblrdHvLGQ0BTUV+ySgSCODzkpDRycW86lBj//nptTGxWQbKd1468dBuKqb+q83ixI4PFskt5ngE0668/kfSjrGu7FRjypHLAtKKlbdl4TO6NEk5lqfRZsi7vXHZwyyau5VyCQbIlAFBHRb3hjs51YWlD0LVwZCtw7ZqPzUWD0ZYmPJ8HXZA4gbQ==
X-Forefront-Antispam-Report: CIP:216.228.118.233; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc7edge2.nvidia.com; CAT:NONE;
 SFS:(13230031)(4636009)(346002)(39860400002)(396003)(136003)(376002)(230273577357003)(230173577357003)(230922051799003)(64100799003)(186009)(451199024)(82310400011)(1800799012)(36840700001)(46966006)(40470700004)(82740400003)(6916009)(70206006)(70586007)(86362001)(36860700001)(356005)(47076005)(7636003)(6666004)(2616005)(336012)(26005)(5660300002)(2906002)(36756003)(966005)(478600001)(83380400001)(316002)(8936002)(8676002)(54906003)(4326008)(40460700003)(40480700001)(41300700001);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:44.1839 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9b53211d-465b-4663-7467-08dc0de15612
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.118.233];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 MWH0EPF000989E5.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DS0PR12MB8072
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Herbert Xu <herbert@gondor.apana.org.au>

BugLink: https://bugs.launchpad.net/bugs/2044427

After the elimination of inner modes, a couple of warnings that
were previously unreachable can now be triggered by malformed
inbound packets.

Fix this by:

1. Moving the setting of skb->protocol into the decap functions.
2. Returning -EINVAL when unexpected protocol is seen.

Reported-by: Maciej Żenczykowski<maze@google.com>
Fixes: 5f24f41e8ea6 ("xfrm: Remove inner/outer modes from input path")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 57010b8ece2821a1fdfdba2197d14a022f3769db)
Signed-off-by: Tony Duan <yifeid@nvidia.com>
---
 net/xfrm/xfrm_input.c | 22 +++++++++-------------
 1 file changed, 9 insertions(+), 13 deletions(-)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 33c15fb2..eda890d 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -179,6 +179,8 @@ static int xfrm4_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
 	int optlen = 0;
 	int err = -EINVAL;
 
+	skb->protocol = htons(ETH_P_IP);
+
 	if (unlikely(XFRM_MODE_SKB_CB(skb)->protocol == IPPROTO_BEETPH)) {
 		struct ip_beet_phdr *ph;
 		int phlen;
@@ -231,6 +233,8 @@ static int xfrm4_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int err = -EINVAL;
 
+	skb->protocol = htons(ETH_P_IP);
+
 	if (!pskb_may_pull(skb, sizeof(struct iphdr)))
 		goto out;
 
@@ -266,6 +270,8 @@ static int xfrm6_remove_tunnel_encap(struct xfrm_state *x, struct sk_buff *skb)
 {
 	int err = -EINVAL;
 
+	skb->protocol = htons(ETH_P_IPV6);
+
 	if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
 		goto out;
 
@@ -295,6 +301,8 @@ static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
 	int size = sizeof(struct ipv6hdr);
 	int err;
 
+	skb->protocol = htons(ETH_P_IPV6);
+
 	err = skb_cow_head(skb, size + skb->mac_len);
 	if (err)
 		goto out;
@@ -346,6 +354,7 @@ static int xfrm6_remove_beet_encap(struct xfrm_state *x, struct sk_buff *skb)
 			return xfrm6_remove_tunnel_encap(x, skb);
 		break;
 		}
+		return -EINVAL;
 	}
 
 	WARN_ON_ONCE(1);
@@ -366,19 +375,6 @@ static int xfrm_prepare_input(struct xfrm_state *x, struct sk_buff *skb)
 		return -EAFNOSUPPORT;
 	}
 
-	switch (XFRM_MODE_SKB_CB(skb)->protocol) {
-	case IPPROTO_IPIP:
-	case IPPROTO_BEETPH:
-		skb->protocol = htons(ETH_P_IP);
-		break;
-	case IPPROTO_IPV6:
-		skb->protocol = htons(ETH_P_IPV6);
-		break;
-	default:
-		WARN_ON_ONCE(1);
-		break;
-	}
-
 	return xfrm_inner_mode_encap_remove(x, skb);
 }
 

From patchwork Fri Jan  5 11:27:19 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tony Duan <yifeid@nvidia.com>
X-Patchwork-Id: 1882842
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61Rr2gMMz1yP5
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Jan 2024 22:28:40 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rLiNF-0005VX-IP; Fri, 05 Jan 2024 11:28:26 +0000
Received: from mail-dm6nam11on2071.outbound.protection.outlook.com
 ([40.107.223.71] helo=NAM11-DM6-obe.outbound.protection.outlook.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yifeid@nvidia.com>) id 1rLiMi-0004sP-A9
 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:52 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=F/NnErTWL03lsPRuf23esji3k3ixo60V6bYTupBRxvM1MncHG978EZEY6K1wYunSRm0ahnSaGbDsK1+tzVCodRn65K/yoZvPpV23HlDKhdjTXOMib9jgEPxutIQM1/qbPv7bJbk9FHjq2Gm4mmWSiKd6AlzpekyTKyf/v0gUB68WVN/tAGpJ20rUc4dBQVv4IG8uX02edDvAzBO7/f1LsdsIkDZHJKaTPmV6yIV9j4HXiDeSPHHKpHCeO8iYp/SGE0YgtceYGBbUMtlnUVaZZVCKXke5fcJ59wJ4pnXNY3+r3/EdzWNxDzKx8mGCPeISoBbbs/csbyPNeHtFgwYxBA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=3ksmSy78c5ewbXBy5Br1GgT1T1aHI7M6QybjFIyj97c=;
 b=BPmUMtwk5y9d2STbdK2wkfyXHzbxxW/9pjH0JqunvbmNjR8GTcb989hyzwiN6oWyMKNgE0wEVDNH1RuodQJr80IX+GC7v/ce3skEqw/wp1ltRgnDfbqE9v0AqFsBAtXvYk6d/JyMhO9TOckwHHqaaQh9rNlx9L3Pl4ZFhvTbz7X07TybJihgc3gc2uiz5PAApdJSFQF+vqzLuUy4t6oDEHhntSWu2t6p2E2lqwB5sUk0XuHLuEVfwdUFLbU50F4/mMN7qATWBA1xf8mWxDE0PfUPM/A0+W6/FQOaGnHooPEttK4yCQGTO9QG9+yNMNkTTUlMy2l2Dh/ZoJOwqKQPbA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
Received: from MN2PR20CA0054.namprd20.prod.outlook.com (2603:10b6:208:235::23)
 by PH0PR12MB5678.namprd12.prod.outlook.com (2603:10b6:510:14e::22)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16; Fri, 5 Jan
 2024 11:27:48 +0000
Received: from MN1PEPF0000F0E4.namprd04.prod.outlook.com
 (2603:10b6:208:235:cafe::bc) by MN2PR20CA0054.outlook.office365.com
 (2603:10b6:208:235::23) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.17 via Frontend
 Transport; Fri, 5 Jan 2024 11:27:48 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 MN1PEPF0000F0E4.mail.protection.outlook.com (10.167.242.42) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:48 +0000
Received: from rnnvmail203.nvidia.com (10.129.68.9) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:34 -0800
Received: from rnnvmail203.nvidia.com (10.129.68.9) by rnnvmail203.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:34 -0800
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.129.68.9) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend
 Transport; Fri, 5 Jan 2024 03:27:33 -0800
Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx
 [10.9.150.35])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0t014036;
 Fri, 5 Jan 2024 13:27:30 +0200
From: Tony Duan <yifeid@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v2 5/6] xfrm: add forgotten nla_policy
 for XFRMA_MTIMER_THRESH
Date: Fri, 5 Jan 2024 05:27:19 -0600
Message-ID: <1704454040-11017-6-git-send-email-yifeid@nvidia.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MN1PEPF0000F0E4:EE_|PH0PR12MB5678:EE_
X-MS-Office365-Filtering-Correlation-Id: 66d2b85d-dfaf-47c1-6def-08dc0de158a4
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 h1/KlsOUwQcE6+z4MU03eyu7Qt1goRchLIGyF8rX1NUKWaQaUo1YEgUIuI1OwpEzaqoWgcInmrcDHVzer9nZKEnhMJ9cTGKowuXOIqmOjnPFyNE79Cc4ONWwVplbS6/pRfT6Fh6pmViIs1RmsfG7fiYPy0as9wnzu9Tl4qcG/sjNap9MCZhmjRyuLr8LpS2D2DzgPvnoIPJjjUkOINnL/UcNSNnd7vNvGPdhj808uBKq+MdyUdiF1eT6kEqOJJAF8E+QseAbMB68TPZsnkNulBHhnEvQ2Go6UPpQSHe9DHq80+B58GRzoTRwkxJTXU5Z5GmLJr78ZpX3DpqeQpDKw/pQdfkRAMQRfwKsjp4ug3E+kbCNCEEWu1RkLk3fsLZrey1DFSweZeLHAbFXCCVNSVg22CTFQNdyrULwCkoUBvAUPbZYOPhCsZ8ele9JCZuoYKfXgTrNx6Lxw9+eq0xt2vuuvA+ehw+Sjyn54APvsMkRjd0/pNUb66jA8wbZkUgbf7oboBnr+LETjr2U4eQuJE0m9jHyzoYmIdb/t9Q90svpc9e/ULyEB58AfX70bMva9CAVI6xh59aExbrbf9PR4vCSrWPZGWD3xGzXWzTo7XBysxv2qNZnkm4cmdsQPjP9mCxSgv7hPhhYFxSoLHca2AL6lHZIbAnAUoNA+CK3RU7olKRbOuaQryBMLx6b1CTLabnFyOp650pdlS2KcTIAk4QiA5EcvK9ajIZ3lENclbCeYnXCdSzvxZuv8rJ2FNj5H1K/yHbYRqjfxhRcqyKgy/OycmB7ho8GXUNVOoQquOs=
X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE;
 SFS:(13230031)(4636009)(39860400002)(346002)(376002)(396003)(136003)(230922051799003)(1800799012)(186009)(451199024)(82310400011)(64100799003)(36840700001)(40470700004)(46966006)(356005)(7636003)(82740400003)(36756003)(40460700003)(40480700001)(86362001)(2616005)(26005)(336012)(316002)(70206006)(54906003)(70586007)(8936002)(6666004)(4326008)(478600001)(966005)(83380400001)(8676002)(36860700001)(6916009)(47076005)(41300700001)(5660300002)(2906002);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:48.3710 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 66d2b85d-dfaf-47c1-6def-08dc0de158a4
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 MN1PEPF0000F0E4.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB5678
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Lin Ma <linma@zju.edu.cn>

BugLink: https://bugs.launchpad.net/bugs/2044427

The previous commit 4e484b3e969b ("xfrm: rate limit SA mapping change
message to user space") added one additional attribute named
XFRMA_MTIMER_THRESH and described its type at compat_policy
(net/xfrm/xfrm_compat.c).

However, the author forgot to also describe the nla_policy at
xfrma_policy (net/xfrm/xfrm_user.c). Hence, this suppose NLA_U32 (4
bytes) value can be faked as empty (0 bytes) by a malicious user, which
leads to 4 bytes overflow read and heap information leak when parsing
nlattrs.

To exploit this, one malicious user can spray the SLUB objects and then
leverage this 4 bytes OOB read to leak the heap data into
x->mapping_maxage (see xfrm_update_ae_params(...)), and leak it to
userspace via copy_to_user_state_extra(...).

The above bug is assigned CVE-2023-3773. To fix it, this commit just
completes the nla_policy description for XFRMA_MTIMER_THRESH, which
enforces the length check and avoids such OOB read.

Fixes: 4e484b3e969b ("xfrm: rate limit SA mapping change message to user space")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit 5e2424708da7207087934c5c75211e8584d553a0)
Signed-off-by: Tony Duan <yifeid@nvidia.com>
---
 net/xfrm/xfrm_user.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 2b9f760..5e2988b 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2884,6 +2884,7 @@ static int xfrm_send_migrate(const struct xfrm_selector *sel, u8 dir, u8 type,
 	[XFRMA_SET_MARK]	= { .type = NLA_U32 },
 	[XFRMA_SET_MARK_MASK]	= { .type = NLA_U32 },
 	[XFRMA_IF_ID]		= { .type = NLA_U32 },
+	[XFRMA_MTIMER_THRESH]   = { .type = NLA_U32 },
 };
 EXPORT_SYMBOL_GPL(xfrma_policy);
 

From patchwork Fri Jan  5 11:27:20 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Tony Duan <yifeid@nvidia.com>
X-Patchwork-Id: 1882844
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com
 (client-ip=185.125.189.65; helo=lists.ubuntu.com;
 envelope-from=kernel-team-bounces@lists.ubuntu.com;
 receiver=patchwork.ozlabs.org)
Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T61S438DNz1yP5
	for <incoming@patchwork.ozlabs.org>; Fri,  5 Jan 2024 22:28:52 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com)
	by lists.ubuntu.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1rLiNR-0005Z1-GU; Fri, 05 Jan 2024 11:28:37 +0000
Received: from mail-bn8nam12on2061.outbound.protection.outlook.com
 ([40.107.237.61] helo=NAM12-BN8-obe.outbound.protection.outlook.com)
 by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.86_2) (envelope-from <yifeid@nvidia.com>) id 1rLiMi-0004t5-U8
 for kernel-team@lists.ubuntu.com; Fri, 05 Jan 2024 11:27:53 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=UPoi/fFysdICX0+IjsD/odwST0Ag7s7YheE50nCzG1zV55zDrM0txl7BMlCuDdxgj27aQn3kyNXDGya8UWovJjYqVqBOTGwx94FT5c/RZfJnKMJtPuG8JMG0vQZjHM3qOJ2o/nokH7/jqk43QgXfJFcWW5P/beoqnrWQ8ZsuTQGOdJ0jIDUepp4URlcj6qyFiAXqnJztd9uB24uvvRkiJWgfeaxWtfk1UVynKgOwrsf+6Pk0v3ZADdi6dXySGubFond7CCvWUQMwv63OSkOjqtj1nm7fUcElKgEhk5pWf6oAifswYJNQ7yQE7NRQ+0YmsXSPDw9MDGyvKTBU4tbOUQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=xhKKqzBfAPnjsIxu9LkcX2Xl3UfQAFxiAI9gos42VHQ=;
 b=I+K8Jnlj4h67wXe/uEBYfyfne1GD+WpLSHfWr9HRI6Bf/5gvXgjw3VwotmqRW4Z7w3Z3uzdyW08QryhI0yBAZlB0dZRzAv//JMfR2FhR5P+9Krawg6ruyH8eF6cKm50zW3JE3HKY1IvlcgktBeKn52IkThjCNLr0ugN22L1aJ8ZF5q2DpUldmvlGewm8nHrOYasaVuBgNuEthuRlZ5zSA6aPQIerFxkMPZJu+yNkn6bRBgA60j2lTt5w1TiGHq38JcXC5ksJcTfvrVcWwxSBbFt04cjZq5U7WYloVjsK4i2Am2gaRJVJKRqTG4vBzIzgfgLeIIC3CHP6oxJaiKNUIw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.118.233) smtp.rcpttodomain=canonical.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
Received: from SJ2PR07CA0020.namprd07.prod.outlook.com (2603:10b6:a03:505::19)
 by CH3PR12MB7594.namprd12.prod.outlook.com (2603:10b6:610:140::22)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.14; Fri, 5 Jan
 2024 11:27:48 +0000
Received: from MWH0EPF000989E5.namprd02.prod.outlook.com
 (2603:10b6:a03:505:cafe::5c) by SJ2PR07CA0020.outlook.office365.com
 (2603:10b6:a03:505::19) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.16 via Frontend
 Transport; Fri, 5 Jan 2024 11:27:48 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.118.233)
 smtp.mailfrom=nvidia.com;
 dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.118.233 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.118.233; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.118.233) by
 MWH0EPF000989E5.mail.protection.outlook.com (10.167.241.132) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7159.9 via Frontend Transport; Fri, 5 Jan 2024 11:27:48 +0000
Received: from drhqmail203.nvidia.com (10.126.190.182) by mail.nvidia.com
 (10.127.129.6) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41; Fri, 5 Jan 2024
 03:27:36 -0800
Received: from drhqmail202.nvidia.com (10.126.190.181) by
 drhqmail203.nvidia.com (10.126.190.182) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.986.41; Fri, 5 Jan 2024 03:27:36 -0800
Received: from mtl123.mtl.labs.mlnx (10.127.8.10) by mail.nvidia.com
 (10.126.190.181) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.41 via Frontend
 Transport; Fri, 5 Jan 2024 03:27:36 -0800
Received: from sw-mtx-008.mtx.labs.mlnx. (sw-mtx-008.mtx.labs.mlnx
 [10.9.150.35])
 by mtl123.mtl.labs.mlnx (8.14.4/8.14.4) with ESMTP id 405BRK0u014036;
 Fri, 5 Jan 2024 13:27:32 +0200
From: Tony Duan <yifeid@nvidia.com>
To: <kernel-team@lists.ubuntu.com>
Subject: [SRU][J:linux-bluefield][PATCH v2 6/6] net: xfrm: Fix
 xfrm_address_filter OOB read
Date: Fri, 5 Jan 2024 05:27:20 -0600
Message-ID: <1704454040-11017-7-git-send-email-yifeid@nvidia.com>
X-Mailer: git-send-email 1.8.3.1
In-Reply-To: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
References: <1704454040-11017-1-git-send-email-yifeid@nvidia.com>
MIME-Version: 1.0
X-NV-OnPremToCloud: ExternallySecured
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MWH0EPF000989E5:EE_|CH3PR12MB7594:EE_
X-MS-Office365-Filtering-Correlation-Id: 9dde910f-7f49-4d07-1a5c-08dc0de158a2
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 
 RCbRmRf57cJS1v6A5SV3P00Go3IELH3pCNHX3A6VaYwjyHuKZaaEyEFv6jwCxjjey5MagwTYR8jFv/66JUTzNLwiEhVfA4+4r5s5NsqtxYIi+3Sr5NZOKdP5ug7YEBSA8voHyw0uiIWC2CXTkA/hyAX0VmE0vcdBMPz4plIRD1BOISlaYimMbBlkscS3Wk/dwkh8+uq5izOXU6S0W3PqJKtOuP8c5v3x5yu9t8ewookm/F4sFxuSunT7K7hXqrl6VnboU35hAFpru3KZNNEj3svZeyFcrf6+8pH4CCtqCZbjb3oknHJPPljBZYa8B2W02wDfru/mVH2sODtjAe7oNIf4svz8Kg5GOgK4A4u4SrybMLF4o/Yh9CDep1tzrhNCTPIfiYJ+Pp8udD9iE6cHDphUXx7aPF4Cy1P9sw1n6+rLCgfgNHVn0VZIWTcX1pUbDX0fVZNlbIyZBbi+kfgvoIVn2D2oEs25sK9+OCdvnUW3gZQwWZDvCkVeudwXbJzjOIVRxwPk6pBy8lKXrZ1CPu7ZRwPFeEEJRyiJYlMCtBkZboUfFUnFVMONyRqlSVrUxHjKTcIpzzP6xNlrJUEUpnNoOKZ6JVjkf3JP5hlCqXMShs+FCxqBn7qhRKEKaCFWgCbzPbrdU3jTegEoi73zRHLK/MxMBO5UDuajjump1YYa6x4s5HJDXxUs2c4i5DoSrphCrUaFn8F5NJzq+xB5aOu6D6++N5x21o9TL6ROM/5ajjeyny8uEk7zyr8xfLYpCq9RXu1bA3rGaDBppjPBjw==
X-Forefront-Antispam-Report: CIP:216.228.118.233; CTRY:US; LANG:en; SCL:1;
 SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc7edge2.nvidia.com; CAT:NONE;
 SFS:(13230031)(4636009)(346002)(136003)(39860400002)(396003)(376002)(230922051799003)(82310400011)(186009)(64100799003)(451199024)(1800799012)(40470700004)(46966006)(36840700001)(2906002)(5660300002)(8676002)(8936002)(4326008)(316002)(70586007)(6916009)(54906003)(2616005)(336012)(36860700001)(26005)(83380400001)(84970400001)(40480700001)(40460700003)(47076005)(41300700001)(70206006)(82740400003)(7636003)(356005)(36756003)(86362001)(6666004)(478600001)(966005);
 DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Jan 2024 11:27:48.4807 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 9dde910f-7f49-4d07-1a5c-08dc0de158a2
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.118.233];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
 MWH0EPF000989E5.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR12MB7594
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
 <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Cc: vlad@nvidia.com, dann.frazier@canonical.com, bodong@nvidia.com
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Lin Ma <linma@zju.edu.cn>

BugLink: https://bugs.launchpad.net/bugs/2044427

We found below OOB crash:

[   44.211730] ==================================================================
[   44.212045] BUG: KASAN: slab-out-of-bounds in memcmp+0x8b/0xb0
[   44.212045] Read of size 8 at addr ffff88800870f320 by task poc.xfrm/97
[   44.212045]
[   44.212045] CPU: 0 PID: 97 Comm: poc.xfrm Not tainted 6.4.0-rc7-00072-gdad9774deaf1-dirty #4
[   44.212045] Call Trace:
[   44.212045]  <TASK>
[   44.212045]  dump_stack_lvl+0x37/0x50
[   44.212045]  print_report+0xcc/0x620
[   44.212045]  ? __virt_addr_valid+0xf3/0x170
[   44.212045]  ? memcmp+0x8b/0xb0
[   44.212045]  kasan_report+0xb2/0xe0
[   44.212045]  ? memcmp+0x8b/0xb0
[   44.212045]  kasan_check_range+0x39/0x1c0
[   44.212045]  memcmp+0x8b/0xb0
[   44.212045]  xfrm_state_walk+0x21c/0x420
[   44.212045]  ? __pfx_dump_one_state+0x10/0x10
[   44.212045]  xfrm_dump_sa+0x1e2/0x290
[   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
[   44.212045]  ? __kernel_text_address+0xd/0x40
[   44.212045]  ? kasan_unpoison+0x27/0x60
[   44.212045]  ? mutex_lock+0x60/0xe0
[   44.212045]  ? __pfx_mutex_lock+0x10/0x10
[   44.212045]  ? kasan_save_stack+0x22/0x50
[   44.212045]  netlink_dump+0x322/0x6c0
[   44.212045]  ? __pfx_netlink_dump+0x10/0x10
[   44.212045]  ? mutex_unlock+0x7f/0xd0
[   44.212045]  ? __pfx_mutex_unlock+0x10/0x10
[   44.212045]  __netlink_dump_start+0x353/0x430
[   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
[   44.212045]  ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[   44.212045]  ? __pfx_xfrm_dump_sa+0x10/0x10
[   44.212045]  ? __pfx_xfrm_dump_sa_done+0x10/0x10
[   44.212045]  ? __stack_depot_save+0x382/0x4e0
[   44.212045]  ? filter_irq_stacks+0x1c/0x70
[   44.212045]  ? kasan_save_stack+0x32/0x50
[   44.212045]  ? kasan_save_stack+0x22/0x50
[   44.212045]  ? kasan_set_track+0x25/0x30
[   44.212045]  ? __kasan_slab_alloc+0x59/0x70
[   44.212045]  ? kmem_cache_alloc_node+0xf7/0x260
[   44.212045]  ? kmalloc_reserve+0xab/0x120
[   44.212045]  ? __alloc_skb+0xcf/0x210
[   44.212045]  ? netlink_sendmsg+0x509/0x700
[   44.212045]  ? sock_sendmsg+0xde/0xe0
[   44.212045]  ? __sys_sendto+0x18d/0x230
[   44.212045]  ? __x64_sys_sendto+0x71/0x90
[   44.212045]  ? do_syscall_64+0x3f/0x90
[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]  ? netlink_sendmsg+0x509/0x700
[   44.212045]  ? sock_sendmsg+0xde/0xe0
[   44.212045]  ? __sys_sendto+0x18d/0x230
[   44.212045]  ? __x64_sys_sendto+0x71/0x90
[   44.212045]  ? do_syscall_64+0x3f/0x90
[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]  ? kasan_save_stack+0x22/0x50
[   44.212045]  ? kasan_set_track+0x25/0x30
[   44.212045]  ? kasan_save_free_info+0x2e/0x50
[   44.212045]  ? __kasan_slab_free+0x10a/0x190
[   44.212045]  ? kmem_cache_free+0x9c/0x340
[   44.212045]  ? netlink_recvmsg+0x23c/0x660
[   44.212045]  ? sock_recvmsg+0xeb/0xf0
[   44.212045]  ? __sys_recvfrom+0x13c/0x1f0
[   44.212045]  ? __x64_sys_recvfrom+0x71/0x90
[   44.212045]  ? do_syscall_64+0x3f/0x90
[   44.212045]  ? entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]  ? copyout+0x3e/0x50
[   44.212045]  netlink_rcv_skb+0xd6/0x210
[   44.212045]  ? __pfx_xfrm_user_rcv_msg+0x10/0x10
[   44.212045]  ? __pfx_netlink_rcv_skb+0x10/0x10
[   44.212045]  ? __pfx_sock_has_perm+0x10/0x10
[   44.212045]  ? mutex_lock+0x8d/0xe0
[   44.212045]  ? __pfx_mutex_lock+0x10/0x10
[   44.212045]  xfrm_netlink_rcv+0x44/0x50
[   44.212045]  netlink_unicast+0x36f/0x4c0
[   44.212045]  ? __pfx_netlink_unicast+0x10/0x10
[   44.212045]  ? netlink_recvmsg+0x500/0x660
[   44.212045]  netlink_sendmsg+0x3b7/0x700
[   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
[   44.212045]  ? __pfx_netlink_sendmsg+0x10/0x10
[   44.212045]  sock_sendmsg+0xde/0xe0
[   44.212045]  __sys_sendto+0x18d/0x230
[   44.212045]  ? __pfx___sys_sendto+0x10/0x10
[   44.212045]  ? rcu_core+0x44a/0xe10
[   44.212045]  ? __rseq_handle_notify_resume+0x45b/0x740
[   44.212045]  ? _raw_spin_lock_irq+0x81/0xe0
[   44.212045]  ? __pfx___rseq_handle_notify_resume+0x10/0x10
[   44.212045]  ? __pfx_restore_fpregs_from_fpstate+0x10/0x10
[   44.212045]  ? __pfx_blkcg_maybe_throttle_current+0x10/0x10
[   44.212045]  ? __pfx_task_work_run+0x10/0x10
[   44.212045]  __x64_sys_sendto+0x71/0x90
[   44.212045]  do_syscall_64+0x3f/0x90
[   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045] RIP: 0033:0x44b7da
[   44.212045] RSP: 002b:00007ffdc8838548 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
[   44.212045] RAX: ffffffffffffffda RBX: 00007ffdc8839978 RCX: 000000000044b7da
[   44.212045] RDX: 0000000000000038 RSI: 00007ffdc8838770 RDI: 0000000000000003
[   44.212045] RBP: 00007ffdc88385b0 R08: 00007ffdc883858c R09: 000000000000000c
[   44.212045] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
[   44.212045] R13: 00007ffdc8839968 R14: 00000000004c37d0 R15: 0000000000000001
[   44.212045]  </TASK>
[   44.212045]
[   44.212045] Allocated by task 97:
[   44.212045]  kasan_save_stack+0x22/0x50
[   44.212045]  kasan_set_track+0x25/0x30
[   44.212045]  __kasan_kmalloc+0x7f/0x90
[   44.212045]  __kmalloc_node_track_caller+0x5b/0x140
[   44.212045]  kmemdup+0x21/0x50
[   44.212045]  xfrm_dump_sa+0x17d/0x290
[   44.212045]  netlink_dump+0x322/0x6c0
[   44.212045]  __netlink_dump_start+0x353/0x430
[   44.212045]  xfrm_user_rcv_msg+0x3a4/0x410
[   44.212045]  netlink_rcv_skb+0xd6/0x210
[   44.212045]  xfrm_netlink_rcv+0x44/0x50
[   44.212045]  netlink_unicast+0x36f/0x4c0
[   44.212045]  netlink_sendmsg+0x3b7/0x700
[   44.212045]  sock_sendmsg+0xde/0xe0
[   44.212045]  __sys_sendto+0x18d/0x230
[   44.212045]  __x64_sys_sendto+0x71/0x90
[   44.212045]  do_syscall_64+0x3f/0x90
[   44.212045]  entry_SYSCALL_64_after_hwframe+0x72/0xdc
[   44.212045]
[   44.212045] The buggy address belongs to the object at ffff88800870f300
[   44.212045]  which belongs to the cache kmalloc-64 of size 64
[   44.212045] The buggy address is located 32 bytes inside of
[   44.212045]  allocated 36-byte region [ffff88800870f300, ffff88800870f324)
[   44.212045]
[   44.212045] The buggy address belongs to the physical page:
[   44.212045] page:00000000e4de16ee refcount:1 mapcount:0 mapping:000000000 ...
[   44.212045] flags: 0x100000000000200(slab|node=0|zone=1)
[   44.212045] page_type: 0xffffffff()
[   44.212045] raw: 0100000000000200 ffff888004c41640 dead000000000122 0000000000000000
[   44.212045] raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000
[   44.212045] page dumped because: kasan: bad access detected
[   44.212045]
[   44.212045] Memory state around the buggy address:
[   44.212045]  ffff88800870f200: fa fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
[   44.212045]  ffff88800870f280: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
[   44.212045] >ffff88800870f300: 00 00 00 00 04 fc fc fc fc fc fc fc fc fc fc fc
[   44.212045]                                ^
[   44.212045]  ffff88800870f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.212045]  ffff88800870f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[   44.212045] ==================================================================

By investigating the code, we find the root cause of this OOB is the lack
of checks in xfrm_dump_sa(). The buggy code allows a malicious user to pass
arbitrary value of filter->splen/dplen. Hence, with crafted xfrm states,
the attacker can achieve 8 bytes heap OOB read, which causes info leak.

  if (attrs[XFRMA_ADDRESS_FILTER]) {
    filter = kmemdup(nla_data(attrs[XFRMA_ADDRESS_FILTER]),
        sizeof(*filter), GFP_KERNEL);
    if (filter == NULL)
      return -ENOMEM;
    // NO MORE CHECKS HERE !!!
  }

This patch fixes the OOB by adding necessary boundary checks, just like
the code in pfkey_dump() function.

Fixes: d3623099d350 ("ipsec: add support of limited SA dump")
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit dfa73c17d55b921e1d4e154976de35317e43a93a)
Signed-off-by: Tony Duan <yifeid@nvidia.com>
---
 net/xfrm/xfrm_user.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5e2988b..2b720a9 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1167,6 +1167,15 @@ static int xfrm_dump_sa(struct sk_buff *skb, struct netlink_callback *cb)
 					 sizeof(*filter), GFP_KERNEL);
 			if (filter == NULL)
 				return -ENOMEM;
+
+			/* see addr_match(), (prefix length >> 5) << 2
+			 * will be used to compare xfrm_address_t
+			 */
+			if (filter->splen > (sizeof(xfrm_address_t) << 3) ||
+			    filter->dplen > (sizeof(xfrm_address_t) << 3)) {
+				kfree(filter);
+				return -EINVAL;
+			}
 		}
 
 		if (attrs[XFRMA_PROTO])