[PATCH AUTOSEL 4.19 04/25] xfrm: clean up xfrm protocol checks

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com,
	Steffen Klassert <steffen.klassert@secunet.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	Sasha Levin <sashal@kernel.org>,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 04/25] xfrm: clean up xfrm protocol checks
Date: Thu, 16 May 2019 07:40:07 -0400	[thread overview]
Message-ID: <20190516114029.8682-4-sashal@kernel.org> (raw)
In-Reply-To: <20190516114029.8682-1-sashal@kernel.org>

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399 ]

In commit 6a53b7593233 ("xfrm: check id proto in validate_tmpl()")
I introduced a check for xfrm protocol, but according to Herbert
IPSEC_PROTO_ANY should only be used as a wildcard for lookup, so
it should be removed from validate_tmpl().

And, IPSEC_PROTO_ANY is expected to only match 3 IPSec-specific
protocols, this is why xfrm_state_flush() could still miss
IPPROTO_ROUTING, which leads that those entries are left in
net->xfrm.state_all before exit net. Fix this by replacing
IPSEC_PROTO_ANY with zero.

This patch also extracts the check from validate_tmpl() to
xfrm_id_proto_valid() and uses it in parse_ipsecrequest().
With this, no other protocols should be added into xfrm.

Fixes: 6a53b7593233 ("xfrm: check id proto in validate_tmpl()")
Reported-by: syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/net/xfrm.h      | 17 +++++++++++++++++
 net/ipv6/xfrm6_tunnel.c |  2 +-
 net/key/af_key.c        |  4 +++-
 net/xfrm/xfrm_state.c   |  2 +-
 net/xfrm/xfrm_user.c    | 14 +-------------
 5 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 5e3daf53b3d1e..3e966c632f3b2 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1430,6 +1430,23 @@ static inline int xfrm_state_kern(const struct xfrm_state *x)
 	return atomic_read(&x->tunnel_users);
 }
 
+static inline bool xfrm_id_proto_valid(u8 proto)
+{
+	switch (proto) {
+	case IPPROTO_AH:
+	case IPPROTO_ESP:
+	case IPPROTO_COMP:
+#if IS_ENABLED(CONFIG_IPV6)
+	case IPPROTO_ROUTING:
+	case IPPROTO_DSTOPTS:
+#endif
+		return true;
+	default:
+		return false;
+	}
+}
+
+/* IPSEC_PROTO_ANY only matches 3 IPsec protocols, 0 could match all. */
 static inline int xfrm_id_proto_match(u8 proto, u8 userproto)
 {
 	return (!userproto || proto == userproto ||
diff --git a/net/ipv6/xfrm6_tunnel.c b/net/ipv6/xfrm6_tunnel.c
index 12cb3aa990af4..d9e5f6808811a 100644
--- a/net/ipv6/xfrm6_tunnel.c
+++ b/net/ipv6/xfrm6_tunnel.c
@@ -345,7 +345,7 @@ static void __net_exit xfrm6_tunnel_net_exit(struct net *net)
 	unsigned int i;
 
 	xfrm_flush_gc();
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
+	xfrm_state_flush(net, 0, false, true);
 
 	for (i = 0; i < XFRM6_TUNNEL_SPI_BYADDR_HSIZE; i++)
 		WARN_ON_ONCE(!hlist_empty(&xfrm6_tn->spi_byaddr[i]));
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 7d4bed9550605..0b79c9aa8eb1f 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1951,8 +1951,10 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
 
 	if (rq->sadb_x_ipsecrequest_mode == 0)
 		return -EINVAL;
+	if (!xfrm_id_proto_valid(rq->sadb_x_ipsecrequest_proto))
+		return -EINVAL;
 
-	t->id.proto = rq->sadb_x_ipsecrequest_proto; /* XXX check proto */
+	t->id.proto = rq->sadb_x_ipsecrequest_proto;
 	if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
 		return -EINVAL;
 	t->mode = mode;
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 3f729cd512aff..11e09eb138d60 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -2386,7 +2386,7 @@ void xfrm_state_fini(struct net *net)
 
 	flush_work(&net->xfrm.state_hash_work);
 	flush_work(&xfrm_state_gc_work);
-	xfrm_state_flush(net, IPSEC_PROTO_ANY, false, true);
+	xfrm_state_flush(net, 0, false, true);
 
 	WARN_ON(!list_empty(&net->xfrm.state_all));
 
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 060afc4ffd958..2122f89f61555 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1513,20 +1513,8 @@ static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family)
 			return -EINVAL;
 		}
 
-		switch (ut[i].id.proto) {
-		case IPPROTO_AH:
-		case IPPROTO_ESP:
-		case IPPROTO_COMP:
-#if IS_ENABLED(CONFIG_IPV6)
-		case IPPROTO_ROUTING:
-		case IPPROTO_DSTOPTS:
-#endif
-		case IPSEC_PROTO_ANY:
-			break;
-		default:
+		if (!xfrm_id_proto_valid(ut[i].id.proto))
 			return -EINVAL;
-		}
-
 	}
 
 	return 0;
-- 
2.20.1

next prev parent reply	other threads:[~2019-05-16 11:40 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-05-16 11:40 [PATCH AUTOSEL 4.19 01/25] xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 02/25] xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 03/25] vti4: ipip tunnel deregistration fixes Sasha Levin
2019-05-16 11:40 ` Sasha Levin [this message]
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 05/25] esp4: add length check for UDP encapsulation Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 06/25] xfrm: Honor original L3 slave device in xfrmi policy lookup Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 07/25] xfrm4: Fix uninitialized memory read in _decode_session4 Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 08/25] clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 09/25] power: supply: cpcap-battery: Fix division by zero Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 10/25] securityfs: fix use-after-free on symlink traversal Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 11/25] apparmorfs: " Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 12/25] PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 13/25] x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 14/25] mac80211: Fix kernel panic due to use of txq after free Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 15/25] net: ieee802154: fix missing checks for regmap_update_bits Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 16/25] KVM: arm/arm64: Ensure vcpu target is unset on reset failure Sasha Levin
2019-05-16 11:40   ` Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 17/25] power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 18/25] bpf: Fix preempt_enable_no_resched() abuse Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 19/25] qmi_wwan: new Wistron, ZTE and D-Link devices Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 20/25] iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 21/25] sched/cpufreq: Fix kobject memleak Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 22/25] x86/mm/mem_encrypt: Disable all instrumentation for early SME setup Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 23/25] ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 24/25] perf bench numa: Add define for RUSAGE_THREAD if not present Sasha Levin
2019-05-16 11:40   ` Sasha Levin
2019-05-16 11:40 ` [PATCH AUTOSEL 4.19 25/25] perf/x86/intel: Fix race in intel_pmu_disable_event() Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:5e3daf53b3d1 dfblob:3e966c632f3b dfblob:12cb3aa990af
dfblob:d9e5f6808811 dfblob:7d4bed955060 dfblob:0b79c9aa8eb1
dfblob:3f729cd512af dfblob:11e09eb138d6 dfblob:060afc4ffd95
dfblob:2122f89f6155 )
 OR (
bs:"[PATCH AUTOSEL 4.19 04/25] xfrm: clean up xfrm protocol checks" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190516114029.8682-4-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=steffen.klassert@secunet.com \
    --cc=syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.