From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
Steffen Klassert <steffen.klassert@secunet.com>
Subject: [PATCH 4.9 21/23] ipsec: Fix aborted xfrm policy dump crash
Date: Tue, 31 Oct 2017 10:55:45 +0100 [thread overview]
Message-ID: <20171031095518.362732760@linuxfoundation.org> (raw)
In-Reply-To: <20171031095517.400573240@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 1137b5e2529a8f5ca8ee709288ecba3e68044df2 upstream.
An independent security researcher, Mohamed Ghannam, has reported
this vulnerability to Beyond Security's SecuriTeam Secure Disclosure
program.
The xfrm_dump_policy_done function expects xfrm_dump_policy to
have been called at least once or it will crash. This can be
triggered if a dump fails because the target socket's receive
buffer is full.
This patch fixes it by using the cb->start mechanism to ensure that
the initialisation is always done regardless of the buffer situation.
Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_user.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1656,32 +1656,34 @@ static int dump_one_policy(struct xfrm_p
static int xfrm_dump_policy_done(struct netlink_callback *cb)
{
- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
struct net *net = sock_net(cb->skb->sk);
xfrm_policy_walk_done(walk, net);
return 0;
}
+static int xfrm_dump_policy_start(struct netlink_callback *cb)
+{
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
+
+ BUILD_BUG_ON(sizeof(*walk) > sizeof(cb->args));
+
+ xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
+ return 0;
+}
+
static int xfrm_dump_policy(struct sk_buff *skb, struct netlink_callback *cb)
{
struct net *net = sock_net(skb->sk);
- struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *) &cb->args[1];
+ struct xfrm_policy_walk *walk = (struct xfrm_policy_walk *)cb->args;
struct xfrm_dump_info info;
- BUILD_BUG_ON(sizeof(struct xfrm_policy_walk) >
- sizeof(cb->args) - sizeof(cb->args[0]));
-
info.in_skb = cb->skb;
info.out_skb = skb;
info.nlmsg_seq = cb->nlh->nlmsg_seq;
info.nlmsg_flags = NLM_F_MULTI;
- if (!cb->args[0]) {
- cb->args[0] = 1;
- xfrm_policy_walk_init(walk, XFRM_POLICY_TYPE_ANY);
- }
-
(void) xfrm_policy_walk(net, walk, dump_one_policy, &info);
return skb->len;
@@ -2415,6 +2417,7 @@ static const struct nla_policy xfrma_spd
static const struct xfrm_link {
int (*doit)(struct sk_buff *, struct nlmsghdr *, struct nlattr **);
+ int (*start)(struct netlink_callback *);
int (*dump)(struct sk_buff *, struct netlink_callback *);
int (*done)(struct netlink_callback *);
const struct nla_policy *nla_pol;
@@ -2428,6 +2431,7 @@ static const struct xfrm_link {
[XFRM_MSG_NEWPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_add_policy },
[XFRM_MSG_DELPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy },
[XFRM_MSG_GETPOLICY - XFRM_MSG_BASE] = { .doit = xfrm_get_policy,
+ .start = xfrm_dump_policy_start,
.dump = xfrm_dump_policy,
.done = xfrm_dump_policy_done },
[XFRM_MSG_ALLOCSPI - XFRM_MSG_BASE] = { .doit = xfrm_alloc_userspi },
@@ -2479,6 +2483,7 @@ static int xfrm_user_rcv_msg(struct sk_b
{
struct netlink_dump_control c = {
+ .start = link->start,
.dump = link->dump,
.done = link->done,
};
next prev parent reply other threads:[~2017-10-31 9:57 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 9:55 [PATCH 4.9 00/23] 4.9.60-stable review Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 01/23] workqueue: replace pool->manager_arb mutex with a flag Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 02/23] ALSA: hda/realtek - Add support for ALC236/ALC3204 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 03/23] ALSA: hda - fix headset mic problem for Dell machines with alc236 Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 04/23] ceph: unlock dangling spinlock in try_flush_caps() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 05/23] usb: xhci: Handle error condition in xhci_stop_device() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 06/23] KVM: PPC: Fix oops when checking KVM_CAP_PPC_HTM Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 07/23] spi: uapi: spidev: add missing ioctl header Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 08/23] spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 09/23] fuse: fix READDIRPLUS skipping an entry Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 10/23] xen/gntdev: avoid out of bounds access in case of partial gntdev_mmap() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 11/23] Input: elan_i2c - add ELAN0611 to the ACPI table Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 12/23] Input: gtco - fix potential out-of-bound access Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 13/23] assoc_array: Fix a buggy node-splitting case Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 14/23] scsi: zfcp: fix erp_action use-before-initialize in REC action trace Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 15/23] scsi: sg: Re-fix off by one in sg_fill_request_table() Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 16/23] drm/amd/powerplay: fix uninitialized variable Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 17/23] can: sun4i: fix loopback mode Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 18/23] can: kvaser_usb: Correct return value in printout Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 19/23] can: kvaser_usb: Ignore CMD_FLUSH_QUEUE_REPLY messages Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 20/23] cfg80211: fix connect/disconnect edge cases Greg Kroah-Hartman
2017-10-31 9:55 ` Greg Kroah-Hartman [this message]
2017-10-31 9:55 ` [PATCH 4.9 22/23] regulator: fan53555: fix I2C device ids Greg Kroah-Hartman
2017-10-31 9:55 ` [PATCH 4.9 23/23] ecryptfs: fix dereference of NULL user_key_payload Greg Kroah-Hartman
[not found] ` <59f8951e.87d8500a.cbc53.9419@mx.google.com>
2017-10-31 16:52 ` [PATCH 4.9 00/23] 4.9.60-stable review Greg Kroah-Hartman
2017-10-31 17:01 ` Mark Brown
2017-10-31 17:19 ` Guenter Roeck
2017-10-31 20:08 ` Shuah Khan
2017-10-31 20:59 ` Tom Gall
2017-10-31 20:59 ` Tom Gall
2017-11-01 15:21 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171031095518.362732760@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.