* [PATCH net v2] net: af_key: initialize alg_key_len for IPComp states
@ 2026-06-08 14:44 Zijing Yin
2026-06-08 16:03 ` Sabrina Dubroca
0 siblings, 1 reply; 2+ messages in thread
From: Zijing Yin @ 2026-06-08 14:44 UTC (permalink / raw)
To: Steffen Klassert, Herbert Xu
Cc: Zijing Yin, David S . Miller, Eric Dumazet, Paolo Abeni,
Ido Schimmel, Simon Horman, netdev, linux-kernel, stable
pfkey_msg2xfrm_state() handles the IPComp (SADB_X_SATYPE_IPCOMP) case by
allocating x->calg and copying only the algorithm name:
x->calg = kmalloc_obj(*x->calg);
if (!x->calg) {
err = -ENOMEM;
goto out;
}
strcpy(x->calg->alg_name, a->name);
x->props.calgo = sa->sadb_sa_encrypt;
Unlike the authentication (x->aalg) and encryption (x->ealg) branches of
the same function, the compression branch never initializes
calg->alg_key_len. IPComp carries no key and the allocation only
reserves sizeof(struct xfrm_algo) (i.e. no room for a key), so the field
is left containing uninitialized slab data.
calg->alg_key_len is later used as a length by xfrm_algo_clone() when an
IPComp state is cloned during XFRM_MSG_MIGRATE:
xfrm_state_migrate()
xfrm_state_clone_and_setup()
x->calg = xfrm_algo_clone(orig->calg);
kmemdup(orig, xfrm_alg_len(orig));
where xfrm_alg_len() returns sizeof(*alg) + (alg_key_len + 7) / 8. With
a non-zero garbage alg_key_len, kmemdup() reads past the end of the
68-byte calg object. Adding an IPComp SA via PF_KEY and then migrating
it triggers (net-next, KASAN, init_on_alloc=0):
BUG: KASAN: slab-out-of-bounds in kmemdup_noprof+0x44/0x60
Read of size 4164 at addr ff11000025a74980 by task diag2/9287
CPU: 3 UID: 0 PID: 9287 Comm: diag2 7.1.0-rc6-g903db046d557 #1
Call Trace:
<TASK>
dump_stack_lvl+0x10e/0x1f0
print_report+0xf7/0x600
kasan_report+0xe4/0x120
kasan_check_range+0x105/0x1b0
__asan_memcpy+0x23/0x60
kmemdup_noprof+0x44/0x60
xfrm_state_migrate+0x70a/0x1da0
xfrm_migrate+0x753/0x18a0
xfrm_do_migrate+0xb47/0xf10
xfrm_user_rcv_msg+0x411/0xb50
netlink_rcv_skb+0x158/0x420
xfrm_netlink_rcv+0x71/0x90
netlink_unicast+0x584/0x850
netlink_sendmsg+0x8b0/0xdc0
____sys_sendmsg+0x9f7/0xb90
___sys_sendmsg+0x134/0x1d0
__sys_sendmsg+0x16d/0x220
do_syscall_64+0x116/0x7d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
</TASK>
Allocated by task 9287:
kasan_save_stack+0x33/0x60
kasan_save_track+0x14/0x30
__kasan_kmalloc+0xaa/0xb0
pfkey_add+0x2652/0x2ea0
pfkey_process+0x6d0/0x830
pfkey_sendmsg+0x42c/0x850
__sys_sendto+0x461/0x4b0
__x64_sys_sendto+0xe0/0x1c0
do_syscall_64+0x116/0x7d0
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ff11000025a74980
which belongs to the cache kmalloc-96 of size 96
The buggy address is located 0 bytes inside of
allocated 68-byte region [ff11000025a74980, ff11000025a749c4)
Depending on the uninitialized value the same field can instead request
an oversized kmemdup() allocation and make the migration clone fail.
The XFRM netlink path is not affected: verify_one_alg() rejects an
XFRMA_ALG_COMP attribute shorter than xfrm_alg_len(), so a calg added via
XFRM_MSG_NEWSA is always self-consistent.
Initialize calg->alg_key_len to 0, matching the aalg/ealg branches.
Fixes: 80c9abaabf42 ("[XFRM]: Extension for dynamic update of endpoint address(es)")
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
---
v2:
fix some typos.
Link to v1: https://lore.kernel.org/all/20260607210119.2437752-1-yzjaurora@gmail.com/
net/key/af_key.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 9cffeef18..3216f897a 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1218,6 +1218,7 @@ static struct xfrm_state * pfkey_msg2xfrm_state(struct net *net,
goto out;
}
strcpy(x->calg->alg_name, a->name);
+ x->calg->alg_key_len = 0;
x->props.calgo = sa->sadb_sa_encrypt;
} else {
int keysize = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net v2] net: af_key: initialize alg_key_len for IPComp states
2026-06-08 14:44 [PATCH net v2] net: af_key: initialize alg_key_len for IPComp states Zijing Yin
@ 2026-06-08 16:03 ` Sabrina Dubroca
0 siblings, 0 replies; 2+ messages in thread
From: Sabrina Dubroca @ 2026-06-08 16:03 UTC (permalink / raw)
To: Steffen Klassert, Zijing Yin
Cc: Herbert Xu, David S . Miller, Eric Dumazet, Paolo Abeni,
Ido Schimmel, Simon Horman, netdev, linux-kernel, stable
note: fixes for IPsec should go to the "ipsec" tree, not net
2026-06-08, 07:44:41 -0700, Zijing Yin wrote:
> pfkey_msg2xfrm_state() handles the IPComp (SADB_X_SATYPE_IPCOMP) case by
> allocating x->calg and copying only the algorithm name:
>
> x->calg = kmalloc_obj(*x->calg);
> if (!x->calg) {
> err = -ENOMEM;
> goto out;
> }
> strcpy(x->calg->alg_name, a->name);
> x->props.calgo = sa->sadb_sa_encrypt;
>
> Unlike the authentication (x->aalg) and encryption (x->ealg) branches of
> the same function, the compression branch never initializes
> calg->alg_key_len. IPComp carries no key and the allocation only
> reserves sizeof(struct xfrm_algo) (i.e. no room for a key), so the field
> is left containing uninitialized slab data.
>
> calg->alg_key_len is later used as a length by xfrm_algo_clone() when an
> IPComp state is cloned during XFRM_MSG_MIGRATE:
The patch looks correct, but do we want to start fixing random bugs in
code that we're trying to get rid of and that nobody actually uses?
If we do, then:
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
--
Sabrina
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-06-08 16:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-08 14:44 [PATCH net v2] net: af_key: initialize alg_key_len for IPComp states Zijing Yin
2026-06-08 16:03 ` Sabrina Dubroca
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox