From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti22d1t05-1372483-1517180339-2-17726629983071606999 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-score: 0.0 X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.001, RCVD_IN_DNSWL_HI -5, T_RP_MATCHES_RCVD -0.01, LANGUAGES en, BAYES_USED global, SA_VERSION 3.4.0 X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='US', FromHeader='com', MailFrom='org', XOriginatingCountry='US' X-Spam-charsets: plain='iso-8859-1' X-Resolved-to: greg@kroah.com X-Delivered-to: greg@kroah.com X-Mail-from: stable-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=arctest; t=1517180338; b=I8LvTJSfkRMlutJzhc0JkM9sQecjw4zzYL8S2HaF6AIUwiT zlyvxdoWuweivYg1BUtLF+0IxU9WYGe7qvhNStX8XYMrfsj7QPKWLFtxWyb3t9ty yYxc22I6zUXC1PD65I+N/p0JrEhOjp9/G24MWhqdhfJvr/wJakneIyR5sSYxaYjc AF4WAW8lfJF5746s5i2jtUdgu1PRtgBAbIrAenYRbbvOOF4x8Gs51WVUPiAewuBV ABngpLaPgaDfZN2c/DMPTQttxRTo7Yivb+bGH3asbd3kn4eyaUiFyCW+bH2Q4jyQ FnXNqMQr/bkqBRyhCkj5yONWkF7IGHxsDSU5ppA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:cc:subject:date:message-id :references:in-reply-to:content-type:content-transfer-encoding :mime-version:sender:list-id; s=arctest; t=1517180338; bh=usFTNe XiFRz5MhONbh7t7YnAy4lCf40nNnWEGj+s/68=; b=m9sOgLgfZCKtQz5v+xgC76 MPBSG8Y1k8aztnBAhxKgo0NQQZNlVWH8Ajh4lmwxJ2ii+AScGRoABsIeu40ssf6X Z0rBj7kymqyuHYudt5Rjhk3KmK2Y7sfJARX0Cvz355dFGp4bOAwiPCzZEhX+VYmp 9PzUJoIcgRjVsMbDS1ipVNAwYf9IONjC2TRDLUdw0qvGMGNG9NvVObNhSOtF+bnH faULQiuP4qI9PLp4STXDxD3HeW8CBiJau4G+KkVTy0az9sSCCvNqctm3Le/1G8fo Wh0P/2WHjWd9u8GjsuaJrPfBsfMuQUQme+mFnOyEN2rJUY37Y7WYMpGNJEJj5ypg == ARC-Authentication-Results: i=1; mx2.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=fGQnQP5F x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1; dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes Authentication-Results: mx2.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=fGQnQP5F x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1; dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753583AbeA1W14 (ORCPT ); Sun, 28 Jan 2018 17:27:56 -0500 Received: from mail-bn3nam01on0128.outbound.protection.outlook.com ([104.47.33.128]:55858 "EHLO NAM01-BN3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753564AbeA1W1y (ORCPT ); Sun, 28 Jan 2018 17:27:54 -0500 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Steffen Klassert , Sasha Levin Subject: [PATCH AUTOSEL for 4.14 087/100] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. Thread-Topic: [PATCH AUTOSEL for 4.14 087/100] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. Thread-Index: AQHTmIcaThBA2dHm9EGKTAzq3YYZTg== Date: Sun, 28 Jan 2018 22:26:56 +0000 Message-ID: <20180128222547.7398-87-alexander.levin@microsoft.com> References: <20180128222547.7398-1-alexander.levin@microsoft.com> In-Reply-To: <20180128222547.7398-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB1018;7:S8AxfsvXJsBjU69CnZCi5YEIlAF/M/3aR72Dg5y5wuPLbeRPM4h3laA5f12mWujuEBJVTCIBYGqtcmj3F0+eVq55t7zMSoqHijhe4WMVkoKd+LLmCnLWlK9uqm9UYlTfMUrABkkVtgTn6oXlZE0zQ6C8KG5fBr0ue9hPFuk04bkbEU4+5b67m5/M7DIbbP64VgKK4BlCoGJVneNllrB4n/YdGjpT3/iJKrvdDzimLHP8Uu7fRvSir5DTsqHJDVxN x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: 7c6e4d21-549f-4552-7082-08d5669e5a3b x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB1018; x-ms-traffictypediagnostic: MW2PR2101MB1018: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(278428928389397)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(61425038)(6040501)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231101)(944501161)(6055026)(61426038)(61427038)(6041288)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(6072148)(201708071742011);SRVR:MW2PR2101MB1018;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB1018; x-forefront-prvs: 05669A7924 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(39380400002)(39860400002)(366004)(346002)(376002)(199004)(189003)(53936002)(2501003)(6436002)(575784001)(86362001)(6486002)(5250100002)(26005)(102836004)(6512007)(59450400001)(76176011)(6116002)(2900100001)(3846002)(36756003)(305945005)(7736002)(316002)(3660700001)(22452003)(3280700002)(54906003)(110136005)(99286004)(186003)(97736004)(1076002)(86612001)(81166006)(6666003)(2906002)(106356001)(14454004)(66066001)(4326008)(68736007)(5660300001)(25786009)(8936002)(10290500003)(81156014)(72206003)(107886003)(10090500001)(478600001)(2950100002)(105586002)(8676002)(6506007)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB1018;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;A:1;MX:1;LANG:en; x-microsoft-antispam-message-info: QxslGBbHx4kPAEA0Iw/jXcNy1rv7fqoL76n4RnY+n9j6Qd3uXV2CkYpXYDBtC6GEVstf+TNkMad+dO5dZuycrw== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7c6e4d21-549f-4552-7082-08d5669e5a3b X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2018 22:26:56.1858 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1018 Sender: stable-owner@vger.kernel.org X-Mailing-List: stable@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: From: Steffen Klassert [ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ] On policies with a transport mode template, we pass the addresses from the flowi to xfrm_state_find(), assuming that the IP addresses (and address family) don't change during transformation. Unfortunately our policy template validation is not strict enough. It is possible to configure policies with transport mode template where the address family of the template does not match the selectors address family. This lead to stack-out-of-bound reads because we compare arddesses of the wrong family. Fix this by refusing such a configuration, address family can not change on transport mode. We use the assumption that, on transport mode, the first templates address family must match the address family of the policy selector. Subsequent transport mode templates must mach the address family of the previous template. Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_user.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index e44a0fed48dd..30a6dc9ad078 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1417,11 +1417,14 @@ static void copy_templates(struct xfrm_policy *xp, = struct xfrm_user_tmpl *ut, =20 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) { + u16 prev_family; int i; =20 if (nr > XFRM_MAX_DEPTH) return -EINVAL; =20 + prev_family =3D family; + for (i =3D 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1433,6 +1436,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tm= pl *ut, u16 family) if (!ut[i].family) ut[i].family =3D family; =20 + if ((ut[i].mode =3D=3D XFRM_MODE_TRANSPORT) && + (ut[i].family !=3D prev_family)) + return -EINVAL; + + prev_family =3D ut[i].family; + switch (ut[i].family) { case AF_INET: break; --=20 2.11.0