From: Simon Horman <horms@kernel.org>
To: Petr Vaganov <p.vaganov@ideco.ru>
Cc: Steffen Klassert <steffen.klassert@secunet.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Stephan Mueller <smueller@chronox.de>,
Antony Antony <antony.antony@secunet.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
lvc-project@linuxtesting.org, stable@vger.kernel.org,
Boris Tonofa <b.tonofa@ideco.ru>
Subject: Re: [PATCH net] xfrm: fix one more kernel-infoleak in algo dumping
Date: Thu, 3 Oct 2024 16:52:02 +0100 [thread overview]
Message-ID: <20241003155202.GT1310185@kernel.org> (raw)
In-Reply-To: <20241002061726.69114-1-p.vaganov@ideco.ru>
On Wed, Oct 02, 2024 at 11:17:24AM +0500, Petr Vaganov wrote:
> During fuzz testing, the following issue was discovered:
>
> BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x598/0x2a30
...
> Fixes copying of xfrm algorithms where some random
> data of the structure fields can end up in userspace.
> Padding in structures may be filled with random (possibly sensitve)
> data and should never be given directly to user-space.
>
> A similar issue was resolved in the commit
> 8222d5910dae ("xfrm: Zero padding when dumping algos and encap")
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: c7a5899eb26e ("xfrm: redact SA secret with lockdown confidentiality")
> Cc: stable@vger.kernel.org
> Co-developed-by: Boris Tonofa <b.tonofa@ideco.ru>
> Signed-off-by: Boris Tonofa <b.tonofa@ideco.ru>
> Signed-off-by: Petr Vaganov <p.vaganov@ideco.ru>
> ---
> net/xfrm/xfrm_user.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index 55f039ec3d59..97faeb3574ea 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -1098,7 +1098,9 @@ static int copy_to_user_auth(struct xfrm_algo_auth *auth, struct sk_buff *skb)
> if (!nla)
> return -EMSGSIZE;
> ap = nla_data(nla);
> - memcpy(ap, auth, sizeof(struct xfrm_algo_auth));
> + strscpy_pad(ap->alg_name, auth->alg_name, sizeof(sizeof(ap->alg_name)));
Hi Petr and Boris,
The nested sizeof doesn't look right to me.
I expect the length of the destination is simply sizeof(ap->alg_name).
And given that ap->alg_name is an array (which is why using sizeof is
correct here), I believe the two-argument variant of strscpy_pad() can be
used:
strscpy_pad(ap->alg_name, auth->alg_name);
As an aside, and not for this patch, there is a usage of strncpy() just
above this hunk which looks like it could be converted to the two-argument
variant of strscpy() or strncpy_pad() if it ought to be zero-padded.
> + ap->alg_key_len = auth->alg_key_len;
> + ap->alg_trunc_len = auth->alg_trunc_len;
> if (redact_secret && auth->alg_key_len)
> memset(ap->alg_key, 0, (auth->alg_key_len + 7) / 8);
> else
> --
> 2.46.1
>
>
prev parent reply other threads:[~2024-10-03 15:52 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-02 6:17 [PATCH net] xfrm: fix one more kernel-infoleak in algo dumping Petr Vaganov
2024-10-03 15:52 ` Simon Horman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241003155202.GT1310185@kernel.org \
--to=horms@kernel.org \
--cc=antony.antony@secunet.com \
--cc=b.tonofa@ideco.ru \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lvc-project@linuxtesting.org \
--cc=netdev@vger.kernel.org \
--cc=p.vaganov@ideco.ru \
--cc=pabeni@redhat.com \
--cc=smueller@chronox.de \
--cc=stable@vger.kernel.org \
--cc=steffen.klassert@secunet.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.