[PATCH 5.10 62/79] ipv6: sr: fix out-of-bounds read when setting HMAC data.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Lucas Leong <wmliang.tw@gmail.com>,
	David Lebrun <dlebrun@google.com>,
	"David S. Miller" <davem@davemloft.net>,
	Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 62/79] ipv6: sr: fix out-of-bounds read when setting HMAC data.
Date: Tue, 13 Sep 2022 16:05:07 +0200	[thread overview]
Message-ID: <20220913140353.206087559@linuxfoundation.org> (raw)
In-Reply-To: <20220913140350.291927556@linuxfoundation.org>

From: David Lebrun <dlebrun@google.com>

[ Upstream commit 84a53580c5d2138c7361c7c3eea5b31827e63b35 ]

The SRv6 layer allows defining HMAC data that can later be used to sign IPv6
Segment Routing Headers. This configuration is realised via netlink through
four attributes: SEG6_ATTR_HMACKEYID, SEG6_ATTR_SECRET, SEG6_ATTR_SECRETLEN and
SEG6_ATTR_ALGID. Because the SECRETLEN attribute is decoupled from the actual
length of the SECRET attribute, it is possible to provide invalid combinations
(e.g., secret = "", secretlen = 64). This case is not checked in the code and
with an appropriately crafted netlink message, an out-of-bounds read of up
to 64 bytes (max secret length) can occur past the skb end pointer and into
skb_shared_info:

Breakpoint 1, seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
208		memcpy(hinfo->secret, secret, slen);
(gdb) bt
 #0  seg6_genl_sethmac (skb=<optimized out>, info=<optimized out>) at net/ipv6/seg6.c:208
 #1  0xffffffff81e012e9 in genl_family_rcv_msg_doit (skb=skb@entry=0xffff88800b1f9f00, nlh=nlh@entry=0xffff88800b1b7600,
    extack=extack@entry=0xffffc90000ba7af0, ops=ops@entry=0xffffc90000ba7a80, hdrlen=4, net=0xffffffff84237580 <init_net>, family=<optimized out>,
    family=<optimized out>) at net/netlink/genetlink.c:731
 #2  0xffffffff81e01435 in genl_family_rcv_msg (extack=0xffffc90000ba7af0, nlh=0xffff88800b1b7600, skb=0xffff88800b1f9f00,
    family=0xffffffff82fef6c0 <seg6_genl_family>) at net/netlink/genetlink.c:775
 #3  genl_rcv_msg (skb=0xffff88800b1f9f00, nlh=0xffff88800b1b7600, extack=0xffffc90000ba7af0) at net/netlink/genetlink.c:792
 #4  0xffffffff81dfffc3 in netlink_rcv_skb (skb=skb@entry=0xffff88800b1f9f00, cb=cb@entry=0xffffffff81e01350 <genl_rcv_msg>)
    at net/netlink/af_netlink.c:2501
 #5  0xffffffff81e00919 in genl_rcv (skb=0xffff88800b1f9f00) at net/netlink/genetlink.c:803
 #6  0xffffffff81dff6ae in netlink_unicast_kernel (ssk=0xffff888010eec800, skb=0xffff88800b1f9f00, sk=0xffff888004aed000)
    at net/netlink/af_netlink.c:1319
 #7  netlink_unicast (ssk=ssk@entry=0xffff888010eec800, skb=skb@entry=0xffff88800b1f9f00, portid=portid@entry=0, nonblock=<optimized out>)
    at net/netlink/af_netlink.c:1345
 #8  0xffffffff81dff9a4 in netlink_sendmsg (sock=<optimized out>, msg=0xffffc90000ba7e48, len=<optimized out>) at net/netlink/af_netlink.c:1921
...
(gdb) p/x ((struct sk_buff *)0xffff88800b1f9f00)->head + ((struct sk_buff *)0xffff88800b1f9f00)->end
$1 = 0xffff88800b1b76c0
(gdb) p/x secret
$2 = 0xffff88800b1b76c0
(gdb) p slen
$3 = 64 '@'

The OOB data can then be read back from userspace by dumping HMAC state. This
commit fixes this by ensuring SECRETLEN cannot exceed the actual length of
SECRET.

Reported-by: Lucas Leong <wmliang.tw@gmail.com>
Tested: verified that EINVAL is correctly returned when secretlen > len(secret)
Fixes: 4f4853dc1c9c1 ("ipv6: sr: implement API to control SR HMAC structure")
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/seg6.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/ipv6/seg6.c b/net/ipv6/seg6.c
index d2f8138e5a73a..2278c0234c497 100644
--- a/net/ipv6/seg6.c
+++ b/net/ipv6/seg6.c
@@ -135,6 +135,11 @@ static int seg6_genl_sethmac(struct sk_buff *skb, struct genl_info *info)
 		goto out_unlock;
 	}
 
+	if (slen > nla_len(info->attrs[SEG6_ATTR_SECRET])) {
+		err = -EINVAL;
+		goto out_unlock;
+	}
+
 	if (hinfo) {
 		err = seg6_hmac_info_del(net, hmackeyid);
 		if (err)
-- 
2.35.1

next prev parent reply	other threads:[~2022-09-13 15:45 UTC|newest]

Thread overview: 89+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-09-13 14:04 [PATCH 5.10 00/79] 5.10.143-rc1 review Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 01/79] NFSD: Fix verifier returned in stable WRITEs Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 02/79] xen-blkfront: Cache feature_persistent value before advertisement Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 03/79] tty: n_gsm: initialize more members at gsm_alloc_mux() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 04/79] tty: n_gsm: avoid call of sleeping functions from atomic context Greg Kroah-Hartman
2022-09-14 12:38   ` Pavel Machek
2022-09-13 14:04 ` [PATCH 5.10 05/79] efi: libstub: Disable struct randomization Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 06/79] efi: capsule-loader: Fix use-after-free in efi_capsule_write Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 07/79] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 08/79] net: mvpp2: debugfs: fix memory leak when using debugfs_lookup() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 09/79] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 10/79] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 11/79] scsi: qla2xxx: Disable ATIO interrupt coalesce for quad port ISP27XX Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 12/79] scsi: megaraid_sas: Fix double kfree() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 13/79] drm/gem: Fix GEM handle release errors Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 14/79] drm/amdgpu: Move psp_xgmi_terminate call from amdgpu_xgmi_remove_device to psp_hw_fini Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 15/79] drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 16/79] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 17/79] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 18/79] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 19/79] arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 20/79] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 21/79] net/core/skbuff: Check the return value of skb_copy_bits() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 22/79] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 23/79] drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 24/79] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 25/79] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 26/79] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 27/79] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 28/79] debugfs: add debugfs_lookup_and_remove() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 29/79] nvmet: fix a use-after-free Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 30/79] drm/i915: Implement WaEdpLinkRateDataReload Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 31/79] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 32/79] scsi: lpfc: Add missing destroy_workqueue() in error path Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 33/79] cgroup: Elide write-locking threadgroup_rwsem when updating csses on an empty subtree Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 34/79] cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 35/79] cifs: remove useless parameter is_fsctl from SMB2_ioctl() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 36/79] smb3: missing inode locks in punch hole Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 37/79] ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 38/79] regulator: core: Clean up on enable failure Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 39/79] tee: fix compiler warning in tee_shm_register() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 40/79] RDMA/cma: Fix arguments order in net device validation Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 41/79] soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 42/79] RDMA/hns: Fix supported page size Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 43/79] RDMA/hns: Fix wrong fixed value of qp->rq.wqe_shift Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 44/79] ARM: dts: at91: sama5d27_wlsom1: specify proper regulator output ranges Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 45/79] ARM: dts: at91: sama5d2_icp: " Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 46/79] ARM: dts: at91: sama5d27_wlsom1: dont keep ldo2 enabled all the time Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 47/79] ARM: dts: at91: sama5d2_icp: dont keep vdd_other " Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 48/79] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 49/79] netfilter: nf_tables: clean up hook list when offload flags check fails Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 50/79] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 51/79] ALSA: usb-audio: Inform the delayed registration more properly Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 52/79] ALSA: usb-audio: Register card again for iface over delayed_register option Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 53/79] rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2() Greg Kroah-Hartman
2022-09-13 14:04 ` [PATCH 5.10 54/79] afs: Use the operation issue time instead of the reply time for callbacks Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 55/79] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 56/79] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 57/79] ice: use bitmap_free instead of devm_kfree Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 58/79] i40e: Fix kernel crash during module removal Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 59/79] net: fec: Use a spinlock to guard `fep->ptp_clk_on` Greg Kroah-Hartman
2022-09-13 15:57   ` Marc Kleine-Budde
2022-09-13 14:05 ` [PATCH 5.10 60/79] xen-netback: only remove hotplug-status when the vif is actually destroyed Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 61/79] RDMA/siw: Pass a pointer to virt_to_page() Greg Kroah-Hartman
2022-09-13 14:05 ` Greg Kroah-Hartman [this message]
2022-09-13 14:05 ` [PATCH 5.10 63/79] IB/core: Fix a nested dead lock as part of ODP flow Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 64/79] RDMA/mlx5: Set local port to one when accessing counters Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 65/79] nvme-tcp: fix UAF when detecting digest errors Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 66/79] nvme-tcp: fix regression that causes sporadic requests to time out Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 67/79] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 68/79] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 69/79] ASoC: mchp-spdiftx: remove references to mchp_i2s_caps Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 70/79] ASoC: mchp-spdiftx: Fix clang -Wbitfield-constant-conversion Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 71/79] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 72/79] swiotlb: avoid potential left shift overflow Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 73/79] iommu/amd: use full 64-bit value in build_completion_wait() Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 74/79] hwmon: (mr75203) fix VM sensor allocation when "intel,vm-map" not defined Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 75/79] hwmon: (mr75203) update pvt->v_num and vm_num to the actual number of used sensors Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 76/79] hwmon: (mr75203) fix voltage equation for negative source input Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 77/79] hwmon: (mr75203) fix multi-channel voltage reading Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 78/79] hwmon: (mr75203) enable polling for all VM channels Greg Kroah-Hartman
2022-09-13 14:05 ` [PATCH 5.10 79/79] arm64: errata: add detection for AMEVCNTR01 incrementing incorrectly Greg Kroah-Hartman
2022-09-14  9:38 ` [PATCH 5.10 00/79] 5.10.143-rc1 review Sudip Mukherjee
2022-09-14  9:51 ` Pavel Machek
2022-09-14 11:04 ` Naresh Kamboju
2022-09-14 20:58 ` Florian Fainelli
2022-09-15  0:13 ` Guenter Roeck
2022-09-15  7:28 ` Rudi Heitbaum
2022-09-17  3:18 ` zhouzhixiu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d2f8138e5a73 dfblob:2278c0234c49 )
 OR (
bs:"[PATCH 5.10 62/79] ipv6: sr: fix out-of-bounds read when setting HMAC data." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220913140353.206087559@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=davem@davemloft.net \
    --cc=dlebrun@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sashal@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=wmliang.tw@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox