[PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv

Netdev List
 help / color / mirror / Atom feed

* [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds
@ 2019-03-04  3:47 Su Yanjun
  2019-03-05  6:49 ` Herbert Xu
  0 siblings, 1 reply; 4+ messages in thread
From: Su Yanjun @ 2019-03-04  3:47 UTC (permalink / raw)
  To: steffen.klassert, herbert, davem, netdev, linux-kernel; +Cc: suyj.fnst

When i review xfrm_user.c code, i found some potentical bug in it.

In xfrm_user_rcvmsg if type parameter from user space is set to
XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause
xfrm_user_rcv_msg  referring to null entry in xfrm_dispatch array.

Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
---
 net/xfrm/xfrm_user.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index a131f9f..d832783 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2630,11 +2630,13 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 		return -EOPNOTSUPP;
 
 	type = nlh->nlmsg_type;
-	if (type > XFRM_MSG_MAX)
+	if (type >= XFRM_MSG_MAX)
 		return -EINVAL;
 
 	type -= XFRM_MSG_BASE;
 	link = &xfrm_dispatch[type];
+	if (!link)
+		return -EOPNOTSUPP;
 
 	/* All operations require privileges, even GET */
 	if (!netlink_net_capable(skb, CAP_NET_ADMIN))
-- 
2.7.4




^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds
  2019-03-04  3:47 [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds Su Yanjun
@ 2019-03-05  6:49 ` Herbert Xu
       [not found]   ` <d401c74f-43cd-7abe-a02d-7397b09b1784@cn.fujitsu.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Herbert Xu @ 2019-03-05  6:49 UTC (permalink / raw)
  To: Su Yanjun; +Cc: steffen.klassert, davem, netdev, linux-kernel

On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote:
> When i review xfrm_user.c code, i found some potentical bug in it.
> 
> In xfrm_user_rcvmsg if type parameter from user space is set to
> XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause
> xfrm_user_rcv_msg  referring to null entry in xfrm_dispatch array.
> 
> Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
> ---
>  net/xfrm/xfrm_user.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> index a131f9f..d832783 100644
> --- a/net/xfrm/xfrm_user.c
> +++ b/net/xfrm/xfrm_user.c
> @@ -2630,11 +2630,13 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
>  		return -EOPNOTSUPP;
>  
>  	type = nlh->nlmsg_type;
> -	if (type > XFRM_MSG_MAX)
> +	if (type >= XFRM_MSG_MAX)
>  		return -EINVAL;

Your patch is wrong.  Please check the definition of XFRM_MSG_MAX.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

^ permalink raw reply	[flat|nested] 4+ messages in thread

[parent not found: <d401c74f-43cd-7abe-a02d-7397b09b1784@cn.fujitsu.com>]

* Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds
       [not found]   ` <d401c74f-43cd-7abe-a02d-7397b09b1784@cn.fujitsu.com>
@ 2019-03-05  7:31     ` Steffen Klassert
  2019-03-05  7:39       ` Su Yanjun <suyj.fnst@cn.fujitsu.com>
  0 siblings, 1 reply; 4+ messages in thread
From: Steffen Klassert @ 2019-03-05  7:31 UTC (permalink / raw)
  To: Su Yanjun <suyj.fnst@cn.fujitsu.com>
  Cc: Herbert Xu, davem, netdev, linux-kernel

On Tue, Mar 05, 2019 at 03:08:49PM +0800, Su Yanjun <suyj.fnst@cn.fujitsu.com> wrote:
> On 2019/3/5 14:49, Herbert Xu wrote:
> 
> > On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote:
> > > When i review xfrm_user.c code, i found some potentical bug in it.
> > > 
> > > In xfrm_user_rcvmsg if type parameter from user space is set to
> > > XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause
> > > xfrm_user_rcv_msg  referring to null entry in xfrm_dispatch array.
> > > 
> > > Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
> > > ---
> > >   net/xfrm/xfrm_user.c | 4 +++-
> > >   1 file changed, 3 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
> > > index a131f9f..d832783 100644
> > > --- a/net/xfrm/xfrm_user.c
> > > +++ b/net/xfrm/xfrm_user.c
> > > @@ -2630,11 +2630,13 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
> > >   		return -EOPNOTSUPP;
> > >   	type = nlh->nlmsg_type;
> > > -	if (type > XFRM_MSG_MAX)
> > > +	if (type >= XFRM_MSG_MAX)
> > >   		return -EINVAL;
> > Your patch is wrong.  Please check the definition of XFRM_MSG_MAX.
> 
> I see, thanks for your reply.
> 
>  	type -= XFRM_MSG_BASE;
>  	link = &xfrm_dispatch[type];
> +	if (!link)
> +		return -EOPNOTSUPP;
> 
> Here **link** may refer to null entry for special types such as
> XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO
> Am i miss something?

'link' is always a valid pointer into that array.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds
  2019-03-05  7:31     ` Steffen Klassert
@ 2019-03-05  7:39       ` Su Yanjun <suyj.fnst@cn.fujitsu.com>
  0 siblings, 0 replies; 4+ messages in thread
From: Su Yanjun <suyj.fnst@cn.fujitsu.com> @ 2019-03-05  7:39 UTC (permalink / raw)
  To: Steffen Klassert; +Cc: Herbert Xu, davem, netdev, linux-kernel


On 2019/3/5 15:31, Steffen Klassert wrote:
> On Tue, Mar 05, 2019 at 03:08:49PM +0800, Su Yanjun <suyj.fnst@cn.fujitsu.com> wrote:
>> On 2019/3/5 14:49, Herbert Xu wrote:
>>
>>> On Sun, Mar 03, 2019 at 10:47:39PM -0500, Su Yanjun wrote:
>>>> When i review xfrm_user.c code, i found some potentical bug in it.
>>>>
>>>> In xfrm_user_rcvmsg if type parameter from user space is set to
>>>> XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO. It will cause
>>>> xfrm_user_rcv_msg  referring to null entry in xfrm_dispatch array.
>>>>
>>>> Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
>>>> ---
>>>>    net/xfrm/xfrm_user.c | 4 +++-
>>>>    1 file changed, 3 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
>>>> index a131f9f..d832783 100644
>>>> --- a/net/xfrm/xfrm_user.c
>>>> +++ b/net/xfrm/xfrm_user.c
>>>> @@ -2630,11 +2630,13 @@ static int xfrm_user_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
>>>>    		return -EOPNOTSUPP;
>>>>    	type = nlh->nlmsg_type;
>>>> -	if (type > XFRM_MSG_MAX)
>>>> +	if (type >= XFRM_MSG_MAX)
>>>>    		return -EINVAL;
>>> Your patch is wrong.  Please check the definition of XFRM_MSG_MAX.
>> I see, thanks for your reply.
>>
>>   	type -= XFRM_MSG_BASE;
>>   	link = &xfrm_dispatch[type];
>> +	if (!link)
>> +		return -EOPNOTSUPP;
>>
>> Here **link** may refer to null entry for special types such as
>> XFRM_MSG_MAX or  XFRM_MSG_NEWSADINFO or XFRM_MSG_NEWSPDINFO
>> Am i miss something?
> 'link' is always a valid pointer into that array.

Thanks

Su




^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2019-03-05  7:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-04  3:47 [PATCH] net: xfrm: Fix potential oops in xfrm_user_rcv_msg and array out of bounds Su Yanjun
2019-03-05  6:49 ` Herbert Xu
     [not found]   ` <d401c74f-43cd-7abe-a02d-7397b09b1784@cn.fujitsu.com>
2019-03-05  7:31     ` Steffen Klassert
2019-03-05  7:39       ` Su Yanjun <suyj.fnst@cn.fujitsu.com>

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox