[PATCH 4/8] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Steffen Klassert <steffen.klassert@secunet.com>
To: David Miller <davem@davemloft.net>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	Steffen Klassert <steffen.klassert@secunet.com>,
	<netdev@vger.kernel.org>
Subject: [PATCH 4/8] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
Date: Fri, 27 Mar 2020 09:10:03 +0100	[thread overview]
Message-ID: <20200327081007.1185-5-steffen.klassert@secunet.com> (raw)
In-Reply-To: <20200327081007.1185-1-steffen.klassert@secunet.com>

From: Xin Long <lucien.xin@gmail.com>

Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
syz:

  BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
  Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650

  Call Trace:
   dump_stack+0xe8/0x16e
   print_address_description.cold.3+0x9/0x23b
   kasan_report.cold.4+0x64/0x95
   memcpy+0x1f/0x50
   selinux_xfrm_alloc_user+0x237/0x430
   security_xfrm_policy_alloc+0x5c/0xb0
   xfrm_policy_construct+0x2b1/0x650
   xfrm_add_acquire+0x21d/0xa10
   xfrm_user_rcv_msg+0x431/0x6f0
   netlink_rcv_skb+0x15a/0x410
   xfrm_netlink_rcv+0x6d/0x90
   netlink_unicast+0x50e/0x6a0
   netlink_sendmsg+0x8ae/0xd40
   sock_sendmsg+0x133/0x170
   ___sys_sendmsg+0x834/0x9a0
   __sys_sendmsg+0x100/0x1e0
   do_syscall_64+0xe5/0x660
   entry_SYSCALL_64_after_hwframe+0x6a/0xdf

So fix it by adding the missing verify_sec_ctx_len check there.

Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
 net/xfrm/xfrm_user.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 38ff02d31402..e6cfaa680ef3 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -2274,6 +2274,9 @@ static int xfrm_add_acquire(struct sk_buff *skb, struct nlmsghdr *nlh,
 	xfrm_mark_get(attrs, &mark);
 
 	err = verify_newpolicy_info(&ua->policy);
+	if (err)
+		goto free_state;
+	err = verify_sec_ctx_len(attrs);
 	if (err)
 		goto free_state;
 
-- 
2.17.1

next prev parent reply	other threads:[~2020-03-27  8:10 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-03-27  8:09 pull request (net): ipsec 2020-03-27 Steffen Klassert
2020-03-27  8:10 ` [PATCH 1/8] xfrm: handle NETDEV_UNREGISTER for xfrm device Steffen Klassert
2020-03-27  8:10 ` [PATCH 2/8] vti[6]: fix packet tx through bpf_redirect() in XinY cases Steffen Klassert
2020-03-27  8:10 ` [PATCH 3/8] xfrm: fix uctx len check in verify_sec_ctx_len Steffen Klassert
2020-03-27  8:10 ` Steffen Klassert [this message]
2020-03-27  8:10 ` [PATCH 5/8] ipv6: xfrm6_tunnel.c: Use built-in RCU list checking Steffen Klassert
2020-03-27  8:10 ` [PATCH 6/8] esp: remove the skb from the chain when it's enqueued in cryptd_wq Steffen Klassert
2020-03-27  8:10 ` [PATCH 7/8] vti6: Fix memory leak of skb if input policy check fails Steffen Klassert
2020-03-27  8:10 ` [PATCH 8/8] xfrm: policy: Fix doulbe free in xfrm_policy_timer Steffen Klassert
2020-03-27 21:57 ` pull request (net): ipsec 2020-03-27 David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:38ff02d3140 dfblob:e6cfaa680ef )
 OR (
bs:"[PATCH 4/8] xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200327081007.1185-5-steffen.klassert@secunet.com \
    --to=steffen.klassert@secunet.com \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).