Patch "Revert "Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.""" has been added to the 4.14-stable tree

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* Patch "Revert "Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.""" has been added to the 4.14-stable tree
@ 2018-01-13  9:52 gregkh
  0 siblings, 0 replies; only message in thread
From: gregkh @ 2018-01-13  9:52 UTC (permalink / raw)
  To: davem, gregkh; +Cc: stable, stable-commits


This is a note to let you know that I've just added the patch titled

    Revert "Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.""

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     revert-revert-xfrm-fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Sat Jan 13 10:51:05 CET 2018
From: "David S. Miller" <davem@davemloft.net>
Date: Fri, 12 Jan 2018 16:09:58 -0500
Subject: Revert "Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.""

From: "David S. Miller" <davem@davemloft.net>


This reverts commit 94802151894d482e82c324edf2c658f8e6b96508.

It breaks transport mode when the policy template has
wildcard addresses configured.

Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xfrm/xfrm_policy.c |   29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1362,36 +1362,29 @@ xfrm_tmpl_resolve_one(struct xfrm_policy
 	struct net *net = xp_net(policy);
 	int nx;
 	int i, error;
-	xfrm_address_t *daddr = xfrm_flowi_daddr(fl, family);
-	xfrm_address_t *saddr = xfrm_flowi_saddr(fl, family);
 	xfrm_address_t tmp;
 
 	for (nx = 0, i = 0; i < policy->xfrm_nr; i++) {
 		struct xfrm_state *x;
-		xfrm_address_t *remote = daddr;
-		xfrm_address_t *local  = saddr;
+		xfrm_address_t *local;
+		xfrm_address_t *remote;
 		struct xfrm_tmpl *tmpl = &policy->xfrm_vec[i];
 
-		if (tmpl->mode == XFRM_MODE_TUNNEL ||
-		    tmpl->mode == XFRM_MODE_BEET) {
-			remote = &tmpl->id.daddr;
-			local = &tmpl->saddr;
-			if (xfrm_addr_any(local, tmpl->encap_family)) {
-				error = xfrm_get_saddr(net, fl->flowi_oif,
-						       &tmp, remote,
-						       tmpl->encap_family, 0);
-				if (error)
-					goto fail;
-				local = &tmp;
-			}
+		remote = &tmpl->id.daddr;
+		local = &tmpl->saddr;
+		if (xfrm_addr_any(local, tmpl->encap_family)) {
+			error = xfrm_get_saddr(net, fl->flowi_oif,
+					       &tmp, remote,
+					       tmpl->encap_family, 0);
+			if (error)
+				goto fail;
+			local = &tmp;
 		}
 
 		x = xfrm_state_find(remote, local, fl, tmpl, policy, &error, family);
 
 		if (x && x->km.state == XFRM_STATE_VALID) {
 			xfrm[nx++] = x;
-			daddr = remote;
-			saddr = local;
 			continue;
 		}
 		if (x) {


Patches currently in stable-queue which might be from davem@davemloft.net are

queue-4.14/net-fec-defer-probe-if-regulator-is-not-ready.patch
queue-4.14/sfp-fix-sfp-bus-oops-when-removing-socket-upstream.patch
queue-4.14/8021q-fix-a-memory-leak-for-vlan-0-device.patch
queue-4.14/net-fec-free-restore-resource-in-related-probe-error-pathes.patch
queue-4.14/revert-revert-xfrm-fix-stack-out-of-bounds-read-in-xfrm_state_find.patch
queue-4.14/ip6_tunnel-disable-dst-caching-if-tunnel-is-dual-stack.patch
queue-4.14/rds-null-pointer-dereference-in-rds_atomic_free_op.patch
queue-4.14/phylink-ensure-we-report-link-down-when-los-asserted.patch
queue-4.14/ethtool-do-not-print-warning-for-applications-using-legacy-api.patch
queue-4.14/sctp-do-not-retransmit-upon-fragneeded-if-pmtu-discovery-is-disabled.patch
queue-4.14/rds-heap-oob-write-in-rds_message_alloc_sgs.patch
queue-4.14/mlxsw-spectrum_router-fix-null-pointer-deref.patch
queue-4.14/sctp-fix-the-handling-of-icmp-frag-needed-for-too-small-mtus.patch
queue-4.14/sh_eth-fix-sh7757-gether-initialization.patch
queue-4.14/net-stmmac-enable-eee-in-mii-gmii-or-rgmii-only.patch
queue-4.14/net-core-fix-module-type-in-sock_diag_bind.patch
queue-4.14/mlxsw-spectrum-relax-sanity-checks-during-enslavement.patch
queue-4.14/net-fec-restore-dev_id-in-the-cases-of-probe-error.patch
queue-4.14/sh_eth-fix-tsu-resource-handling.patch
queue-4.14/ipv6-sr-fix-tlvs-not-being-copied-using-setsockopt.patch
queue-4.14/net-sched-fix-update-of-lastuse-in-act-modules-implementing-stats_update.patch
queue-4.14/ipv6-fix-possible-mem-leaks-in-ipv6_make_skb.patch

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-01-13  9:52 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-01-13  9:52 Patch "Revert "Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find.""" has been added to the 4.14-stable tree gregkh

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).