From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Ahern <dsahern@kernel.org>
Cc: <herbert@gondor.apana.org.au>, <edumazet@google.com>,
<kuba@kernel.org>, <pabeni@redhat.com>, <netdev@vger.kernel.org>,
David Ahern <dahern@nvidia.com>, Leo Lin <leo@depthfirst.com>
Subject: Re: [PATCH net] xfrm: Check for underflow in xfrm_state_mtu
Date: Sat, 16 May 2026 10:00:31 +0200 [thread overview]
Message-ID: <aggkH0ZYWgIDoJFJ@secunet.com> (raw)
In-Reply-To: <20260513164918.33145-1-dsahern@kernel.org>
On Wed, May 13, 2026 at 10:49:14AM -0600, David Ahern wrote:
> From: David Ahern <dahern@nvidia.com>
>
> Leo Lin reported OOB write issue in esp component:
>
> xfrm_state_mtu() returns u32 but performs its arithmetic in unsigned
> modulo-2^32 space using an attacker-influenced "header_len + authsize +
> net_adj" subtracted from a small "mtu" argument. A nobody user can
> install an IPv4 ESP tunnel SA with a large authentication key
> (XFRMA_ALG_AUTH_TRUNC, e.g. hmac(sha512), 64-byte key, 64-byte trunc),
> configure a small interface MTU (68 bytes), and set XFRMA_TFCPAD to a
> large value. When a single UDP datagram is then sent through the
> tunnel, xfrm_state_mtu() underflows to a near-2^32 value, and
> esp_output() consumes it as a signed int via:
>
> padto = min(x->tfcpad, xfrm_state_mtu(x, mtu_cached))
> esp.tfclen = padto - skb->len (assigned to int)
>
> esp.tfclen ends up negative (e.g. -207). It is sign-extended to size_t
> when passed to memset() inside esp_output_fill_trailer(), producing a
> ~16 EB write of zeroes at skb_tail_pointer(skb). KASAN logs it as
> "Write of size 18446744073709551537 at addr ffff888...".
>
> Check for underflow and return 1. This causes the sendmsg attempt to
> fail with ENETUNREACH.
>
> Fixes: c5c252389374 ("[XFRM]: Optimize MTU calculation")
> Reported-by: Leo Lin <leo@depthfirst.com>
> Assisted-by: Codex:26.506.31004
> Signed-off-by: David Ahern <dahern@nvidia.com>
Applied, thanks a lot David!
prev parent reply other threads:[~2026-05-16 8:00 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-13 16:49 [PATCH net] xfrm: Check for underflow in xfrm_state_mtu David Ahern
2026-05-16 8:00 ` Steffen Klassert [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aggkH0ZYWgIDoJFJ@secunet.com \
--to=steffen.klassert@secunet.com \
--cc=dahern@nvidia.com \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=herbert@gondor.apana.org.au \
--cc=kuba@kernel.org \
--cc=leo@depthfirst.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.