From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Cyrus-Session-Id: sloti22d1t05-1372483-1517178765-2-7575860088283877966 X-Sieve: CMU Sieve 3.0 X-Spam-known-sender: no X-Spam-score: 0.0 X-Spam-hits: BAYES_00 -1.9, HEADER_FROM_DIFFERENT_DOMAINS 0.001, RCVD_IN_DNSWL_HI -5, T_RP_MATCHES_RCVD -0.01, LANGUAGES en, BAYES_USED global, SA_VERSION 3.4.0 X-Spam-source: IP='209.132.180.67', Host='vger.kernel.org', Country='US', FromHeader='com', MailFrom='org', XOriginatingCountry='US' X-Spam-charsets: plain='iso-8859-1' X-Resolved-to: greg@kroah.com X-Delivered-to: greg@kroah.com X-Mail-from: stable-owner@vger.kernel.org ARC-Seal: i=1; a=rsa-sha256; cv=none; d=messagingengine.com; s=arctest; t=1517178765; b=oj4Mem+fgExi2yQyZTBngEMld2HC3ahcj5s1hj1T0teKhFd PTjDMogV8CJcHB340mFSIc7KeznunPo1+9SApjPxVXHkDqSKg+BsyxDFtjPMAKMs jGc+Vy1NL18anwHod0Fa/md4NTtTjLURlwLAFIQpY/J96eLYjqT1PSr6jsATuHjI gF6P1kruXzrWS3oWiwq4Xn8cv434/tv9iYmw+1t8lvJRrU0LO0eDTijdIkfs8n76 e4kAtCDawvPGNZx87S1xxh/gydqeQNNVD5ZUPeE4MNelcmSkg1E+IDwFcP8jalqA HeXeYzBZv4LFtJa8GWeZYMOg/y6/JW5m0EjO6+w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=from:to:cc:subject:date:message-id :references:in-reply-to:content-type:content-transfer-encoding :mime-version:sender:list-id; s=arctest; t=1517178765; bh=BBkGCb a0x9mQK93jjDP103cEs2bsYZZR7tXBGEsNrTo=; b=tAICdi8AaUiYMBJ2xfZ5+h cCripwjhJxAY8QS/m5PMsoJp9ZDD35E7Y0Gx0kGuzmzILHPaMLbh0VyWz5izhHIV wwUhuR5p3o8D0l2oDJnOVqw7ymUKMydVSqzmw0jYCXM5GnODSPcWsl4jdpc13h46 hTupeD8Itit+CGt5vK45xf/+efIi0Q1z9V1SNA0ZDz/A8y7DXdyKZegfaKuOi+6s k9lEDp3XnfUKjsn7UAWjixn50KAniqFbSzdGQ/u21v74SB0kVaL4BOZ1Psgv4Yqm izordxAsiRNcPkVRlOnAf0gHZ3T49JQpmU9dcyoeejTD/iGayLR87IjUx92DjKDQ == ARC-Authentication-Results: i=1; mx6.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=jJh0p7Lh x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1; dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes Authentication-Results: mx6.messagingengine.com; arc=none (no signatures found); dkim=pass (1024-bit rsa key sha256) header.d=microsoft.com header.i=@microsoft.com header.b=jJh0p7Lh x-bits=1024 x-keytype=rsa x-algorithm=sha256 x-selector=selector1; dmarc=pass (p=reject,has-list-id=yes,d=none) header.from=microsoft.com; iprev=pass policy.iprev=209.132.180.67 (vger.kernel.org); spf=none smtp.mailfrom=stable-owner@vger.kernel.org smtp.helo=vger.kernel.org; x-aligned-from=fail; x-ptr=pass x-ptr-helo=vger.kernel.org x-ptr-lookup=vger.kernel.org; x-return-mx=pass smtp.domain=vger.kernel.org smtp.result=pass smtp_org.domain=kernel.org smtp_org.result=pass smtp_is_org_domain=no header.domain=microsoft.com header.result=pass header_is_org_domain=yes Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932754AbeA1WcH (ORCPT ); Sun, 28 Jan 2018 17:32:07 -0500 Received: from mail-bl2nam02on0093.outbound.protection.outlook.com ([104.47.38.93]:45074 "EHLO NAM02-BL2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932655AbeA1Wam (ORCPT ); Sun, 28 Jan 2018 17:30:42 -0500 From: Sasha Levin To: "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" CC: Steffen Klassert , Sasha Levin Subject: [PATCH AUTOSEL for 3.18 20/25] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. Thread-Topic: [PATCH AUTOSEL for 3.18 20/25] xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies. Thread-Index: AQHTmIeHtCR6ZsN5jkqT11dyYAvN0Q== Date: Sun, 28 Jan 2018 22:29:57 +0000 Message-ID: <20180128222931.7781-20-alexander.levin@microsoft.com> References: <20180128222931.7781-1-alexander.levin@microsoft.com> In-Reply-To: <20180128222931.7781-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;MW2PR2101MB1098;7:HwkoU2+cRLm0AikkmdnUGSUydIZu0xRNPNlJ3MRizLdjBc8HTlIc5u9yJD9dlbbNbyKbUu5mlcNuBWuSLsVr86qIgQnMoh1HqvPx/1jQ3uVhKryFXgX/3eH/C6oEAmZBrF7PxcQZT7hCLR+3L4BVqaoRcgtM09RILNvTvBUZHNT3YBQr5ODc8phBkeIQlllZXl8xolLCBHBRf/I0zaQjy2iv88T3BLSVpvQPRdMc/CptzVJSYfESOjFFXNOrn+P6 x-ms-office365-filtering-ht: Tenant x-ms-office365-filtering-correlation-id: e3f6020e-3102-45c7-b37a-08d5669ec070 x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(4604075)(3008032)(2017052603307)(7193020);SRVR:MW2PR2101MB1098; x-ms-traffictypediagnostic: MW2PR2101MB1098: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(278428928389397)(89211679590171); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(61425038)(6040501)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(10201501046)(3231101)(944501161)(6055026)(61426038)(61427038)(6041288)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(6072148)(201708071742011);SRVR:MW2PR2101MB1098;BCL:0;PCL:0;RULEID:;SRVR:MW2PR2101MB1098; x-forefront-prvs: 05669A7924 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(346002)(376002)(396003)(39860400002)(39380400002)(189003)(199004)(54906003)(7736002)(66066001)(305945005)(316002)(72206003)(106356001)(2950100002)(6666003)(478600001)(10290500003)(6506007)(97736004)(2906002)(105586002)(59450400001)(25786009)(107886003)(5250100002)(8676002)(110136005)(14454004)(5660300001)(2501003)(22452003)(2900100001)(81156014)(68736007)(6436002)(8936002)(53936002)(10090500001)(81166006)(99286004)(102836004)(3660700001)(36756003)(3280700002)(86612001)(3846002)(6116002)(86362001)(1076002)(4326008)(26005)(76176011)(6512007)(6486002)(186003)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:MW2PR2101MB1098;H:MW2PR2101MB1034.namprd21.prod.outlook.com;FPR:;SPF:None;PTR:InfoNoRecords;MX:1;A:1;LANG:en; x-microsoft-antispam-message-info: EBrWaVSG+MFRgLoMJhohSzpT7I8M9zovnBaIPlkIunRSWqrj4HJ/7dormGobpnu/gtFpQjZGZQ0N9UDYtE6xsg== spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: e3f6020e-3102-45c7-b37a-08d5669ec070 X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jan 2018 22:29:57.9919 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW2PR2101MB1098 Sender: stable-owner@vger.kernel.org X-Mailing-List: stable@vger.kernel.org X-getmail-retrieved-from-mailbox: INBOX X-Mailing-List: linux-kernel@vger.kernel.org List-ID: From: Steffen Klassert [ Upstream commit 732706afe1cc46ef48493b3d2b69c98f36314ae4 ] On policies with a transport mode template, we pass the addresses from the flowi to xfrm_state_find(), assuming that the IP addresses (and address family) don't change during transformation. Unfortunately our policy template validation is not strict enough. It is possible to configure policies with transport mode template where the address family of the template does not match the selectors address family. This lead to stack-out-of-bound reads because we compare arddesses of the wrong family. Fix this by refusing such a configuration, address family can not change on transport mode. We use the assumption that, on transport mode, the first templates address family must match the address family of the policy selector. Subsequent transport mode templates must mach the address family of the previous template. Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin --- net/xfrm/xfrm_user.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c index 72d65b9978ca..0cfea132163a 100644 --- a/net/xfrm/xfrm_user.c +++ b/net/xfrm/xfrm_user.c @@ -1349,11 +1349,14 @@ static void copy_templates(struct xfrm_policy *xp, = struct xfrm_user_tmpl *ut, =20 static int validate_tmpl(int nr, struct xfrm_user_tmpl *ut, u16 family) { + u16 prev_family; int i; =20 if (nr > XFRM_MAX_DEPTH) return -EINVAL; =20 + prev_family =3D family; + for (i =3D 0; i < nr; i++) { /* We never validated the ut->family value, so many * applications simply leave it at zero. The check was @@ -1365,6 +1368,12 @@ static int validate_tmpl(int nr, struct xfrm_user_tm= pl *ut, u16 family) if (!ut[i].family) ut[i].family =3D family; =20 + if ((ut[i].mode =3D=3D XFRM_MODE_TRANSPORT) && + (ut[i].family !=3D prev_family)) + return -EINVAL; + + prev_family =3D ut[i].family; + switch (ut[i].family) { case AF_INET: break; --=20 2.11.0