From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x227WtqgkRYEgFhtV0pLb3IK9Pvwhq66Pu1SoBq2+JzXh9DAE7iVAC8UfZMcQEkw47WP9a0nL ARC-Seal: i=1; a=rsa-sha256; t=1517256802; cv=none; d=google.com; s=arc-20160816; b=BqHmfII2qAxh+mPVkGbYOhNY2tP6zzc1AtsoQSQ56uVGcqNkDjuSl/67bybXg0uCg1 o2fFW9Drv3HtIYj4STigqbULrioX01zoCPsumIbVC+8YACc/VLJGpuWSO7u2KXCqexb/ kl0VzVCXIVVsh1+NewiTBn74Pe0LwTTdYV1vz1NG/C2HEt4jE7JkUVgenP0gDx7WsF2X JWi1dLgidWeRRaMCt8JfUIR6Uz9JQmlfaycqrzGHB0oNQZMW2nOgQVqIwlabHTEJ6+nj eL2nHB/F0csn2AAktGRiuBR2pCAiQ9FKsRQTzN3kZIDx+TKldKT7jC1/e09/RaYjWvIa VMMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=c9k4rWGOgWHNC8iL+sgBEbNATv9poy3G+N6ikyqWk4Q=; b=Q1UWHOGtZCd3Kln/dk5RLCastJ1V3WNK0S0r3xwlk3LEb5dsl22k3MWzsCdg6/E3Hw bPdNtddDPcQd7nBgP2UQ8YtLHRs/GLlYixl0KOUsM5wBLKVHXxXIJC2p1s80DjXbxwBQ yiuAS1zKjYEZ3Gsal50XUi4WsdrI3Oqv1BM8gJO05E4YjxR1fO7z+ixM2sJpT/ps7GIR L7wZppWGJ/3W5HYsAarH2oHGUPw1FSvGO9MKdLJE3wM6/bzuwMbHsf6e7lVn5JbISeDs pKNbe/jt5MxLu4N+bFfK0vWsBJ7OwbUGC8QGN17EJiYR8grogk9SzdpNvmcKclqdaKWx yR1Q== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Eric Biggers , Steffen Klassert Subject: [PATCH 3.18 07/52] af_key: fix buffer overread in parse_exthdrs() Date: Mon, 29 Jan 2018 13:56:25 +0100 Message-Id: <20180129123628.512194202@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180129123628.168904217@linuxfoundation.org> References: <20180129123628.168904217@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590959068627690960?= X-GMAIL-MSGID: =?utf-8?q?1590959068627690960?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit 4e765b4972af7b07adcb1feb16e7a525ce1f6b28 upstream. If a message sent to a PF_KEY socket ended with an incomplete extension header (fewer than 4 bytes remaining), then parse_exthdrs() read past the end of the message, into uninitialized memory. Fix it by returning -EINVAL in this case. Reproducer: #include #include #include int main() { int sock = socket(PF_KEY, SOCK_RAW, PF_KEY_V2); char buf[17] = { 0 }; struct sadb_msg *msg = (void *)buf; msg->sadb_msg_version = PF_KEY_V2; msg->sadb_msg_type = SADB_DELETE; msg->sadb_msg_len = 2; write(sock, buf, 17); } Signed-off-by: Eric Biggers Signed-off-by: Steffen Klassert Signed-off-by: Greg Kroah-Hartman --- net/key/af_key.c | 3 +++ 1 file changed, 3 insertions(+) --- a/net/key/af_key.c +++ b/net/key/af_key.c @@ -516,6 +516,9 @@ static int parse_exthdrs(struct sk_buff uint16_t ext_type; int ext_len; + if (len < sizeof(*ehdr)) + return -EINVAL; + ext_len = ehdr->sadb_ext_len; ext_len *= sizeof(uint64_t); ext_type = ehdr->sadb_ext_type;